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Executive  Summary 


Biometric  Data  Safeguarding  Technologies  Analysis  and  Best  Practices  International 
Biometric  Group  DRDC  CSS  CR  2011-29  December  2011 


Background 


This  document  is  the  Study  Report  for  PSTP  02-035 IBIO,  Biometric  Data  Safeguarding  Technologies  Analysis 
and  Best  Practices.  One  of  the  main  goals  of  the  Public  Security  Technical  Program  (PSTP)  Biometrics 
Community  of  Practice  is  to  evaluate,  analyze,  and  implement  biometric  technologies  that  enhance  national 
capabilities  in  access  control,  identity  verification,  and  e-Commerce  security  in  a  manner  that  is  consistent  with 
Canadian  laws  and  acts.  This  is  done  in  collaboration  with  the  appropriate  Government  of  Canada  agencies  and 
departments  responsible  for  national  security,  border  control  and  security,  and  law  enforcement  and  immigration. 

The  Lead  Federal  Department  for  the  Study  is  Canada  Border  Services  Agency  (CBSA).  Additional  partners  include 
the  following: 

•  Royal  Canadian  Mounted  Police 

•  Transport  Canada 

•  Defence  Research  and  Development  Canada  (DRDC)  -  Toronto 

•  Office  of  the  Information  and  Privacy  Commissioner  of  Ontario 

•  University  of  Toronto 

•  Indiana  University-Purdue  University  Indianapolis  (lUPUI) 

•  IBG-Canada 

The  rapid  progress  of  biometrics  technology  in  the  last  few  years  and  the  ease  with  which  biometrics  data  can  be 
acquired  has  resulted  in  the  accumulation  of  large  varying  databases  of  biometrics  information.  This  trend  will 
continue  in  the  future,  with  databases  growing  at  an  ever-increasing  rate.  The  purpose  of  the  Study  is  to  examine 
some  of  the  issues  surrounding  the  sharing  and  safeguarding  of  biometric  data  in  the  Canadian  Public  Security 
context  writ  large.  Throughout  the  study,  the  modality  focus  will  be  on  iris  biometrics  (prime  focus)  and  fingerprints 
(secondary). 

Biometric  privacy  enhancing  technologies  (PETs)  are  among  the  most  promising  technologies  for  data  safeguarding. 
These  technologies  leverage  biometric  information  to  improve  and  ensure  personal  privacy  while  protecting 
sensitive  information  and  assets.  PETs  can  be  categorized  as  follows: 

•  Untraceable  Biometrics  -  defined  by  Dr.  Ann  Cavoukian,  Ontario  Privacy  Commissioner,  as  a  new  class  of 
emerging  privacy  enhancing  technologies  such  as  biometric  encryption 

•  Anonymous  Biometrics  -  a  system  where  biometric  data  are  not  connected  to  any  personal  data;  biometric  data 
can  be  taken  to  another  system  to  connect  with  personal  information 

•  Revocable  (^‘Private”)  Biometrics  -  allow  people  to  have  multiple  biometric  identities  using  the  same 
biometric  information;  identities  can  be  used  independently  or  anonymously 

This  document  presents  methodologies  and  results  from  scientific  studies  that  identify  and  evaluate  biometric 
technologies  with  respect  to  their  ability  to  be  used  securely  (in  terms  of  safeguarding  biometric  databases).  These 
new  biometric  technologies  and  associated  data  safeguarding  capabilities  must  be  consistent  with  the  Government  of 
Canada’s  dual  prosperity  and  security  mandates,  and  must  consider  legal,  ethical,  cultural,  and  privacy  issues. 


Biometric  Data  Sharing  and  Safeguarding  Considerations 


The  scale  and  complexity  of  biometric  samples  gathered  by  national  and  international  systems  are  increasing  and 
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becoming  widespread.  The  current  maturity  level  of  biometrics  has  facilitated  the  use  of  biometrics  in  a  wide  range 
of  government  applications,  while  much  work  remains  in  devising  acceptable  ways  of  controlling  the  use,  storage, 
and  exchange  of  biometric  data  and  personal  information. 

Privacy  threats  related  to  biometrics  have  been  discussed  extensively.  Major  privacy  risk  areas  are  described  as 
followed: 

•  The  ability  to  cross  match  data  subjects  across  different  services  or  applications  by  comparing  biometric 
templates. 

•  The  possibility  to  extract  sensitive  information  from  the  stored  biometric  data 

•  The  extension  of  application  scope  of  biometric  technology  outside  consent  of  the  owner 

The  various  security  threats  associated  with  data  sharing  and  safeguarding  can  be  described  by  potential  attacks  on 
various  components  of  a  biometric  systems,  including  during  biometric  data  capture,  storage,  and  transmission.  Key 
security  concepts  related  to  data  safeguarding  include  confidentiality,  integrity,  and  revocability. 

Confidentiality  ensures  that  information  is  not  disclosed  to  unauthorized  entities.  In  a  biometric  system,  biometric 
data  is  stored  and  transmitted  between  various  subsystems.  Both  storage  and  transmission  of  data  should  be 
protected  against  eavesdropping,  unauthorized  disclosure  or  modification  of  the  data.  This  requires  cryptographic 
techniques  such  as  biometric  encryption,  or  symmetric  or  asymmetric  ciphers. 

Integrity  is  the  property  of  safeguarding  the  accuracy  and  completeness  of  assets  in  a  given  dataset.  If  the  integrity 
of  a  biometric  reference  or  the  result  of  the  various  processing  algorithms  and  subsystems  are  untrustworthy,  the 
verification  outcome  will  also  be  untrustworthy.  Cryptographic  means  to  protect  the  integrity  of  the  data,  such  as 
signatures  or  authenticated  encryption  and  time  stamping,  are  required. 

A  strong  security  concern  for  biometric  system  relates  to  revocability  and  renewability  of  biometric  templates. 
Individuals  have  a  limited  number  of  irises  and  fingers;  identity  theft  renders  corresponding  biometric  template  as 
unusable  for  future  use.  Due  to  the  persistence  of  biometric  characteristics,  a  compromised  biometric  template  is 
compromised  forever.  The  risk  of  compromised  templates  can  be  mitigated  for  certain  types  of  attacks  by  providing 
methods  to  allow  renewable  biometric  templates. 

Modality-Specific  Considerations 

Fingerprint,  face  recognition,  and  iris  recognition  are  among  the  primary  modalities  considered  for  use  in  data 
safeguarding  applications. 


Fingerprint:  Strengths 

Fingerprint:  Weaknesses 

•  Proven  technology  capable  of  high  accuracy 

•  Performance  (accuracy,  throughput)  of  leading 
technologies  is  well-documented  and  understood 

•  Ability  to  enroll  multiple  fingers;  exceptionally  high 
accuracy  for  ten  print  collections 

•  Ergonomic,  easy-to-use  devices 

•  Fingerprint  data  is  almost  universally  interoperable, 
facilitating  searches  against  watchlists 

•  Performance  can  deteriorate  over  time 

•  Association  with  forensic  applications 

•  Users  can  intentionally  damage  fingerprints,  reducing 
performance 

•  Implementation  of  large-scale  systems  requires  highly 
specialized  expertise  for  performance  tuning  and 
optimization 

Face  Recognition:  Strengths 

Face  Recognition:  Weaknesses 

•  Does  not  require  user  training  or  effort 

•  Can  often  leverage  existing  image  datasets  and  existing 
photograph  processes 

•  Capable  of  identification  at  a  distance 

•  Capable  of  rapid  1  :N  identification  with  relatively  little 

•  Susceptible  to  high  false  non-match  rates  in  1 : 1  and  1  :N 
applications 

•  Changes  in  acquisition  environment  reduce  matching 
accuracy 

•  Changes  in  physiological  characteristics  reduce  matching 
accuracy 
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processing  power 

•  Performance  improves  hand-in-hand  with  camera  quality 
and  image  resolution 

•  Lighting,  camera  angle  reduce  matching  accuracy 

Iris  Recognition:  Strengths 

Iris  Recognition:  Weaknesses 

•  Exceptionally  resistant  to  false  matching 

•  Default  operation  is  identification  mode 

•  High  stability  of  characteristic  over  lifetime 

•  Hands-free  operation 

•  Real-time  searches  against  large  datasets  (e.g.  10m  irises) 
are  possible  with  modest  CPU  loads 

•  Acquisition  of  iris  image  requires  more  training  and 
attentiveness  than  most  biometrics 

•  User  discomfort  with  eye-based  technology 

•  Glasses  can  impact  performance 

•  Propensity  for  false  non-matching  or  failure  to  capture 

Select  Biometric  Data  Safeguarding  Implementations 


The  rapid  advancement  of  biometric  technology  along  with  the  ease  with  which  biometrics  data  can  be  acquired  has 
resulted  in  the  accumulation  of  large  datasets  of  biometrics  information.  However,  reporting  of  best  practices  has 
been  minimal  in  regards  to  data  sharing  and  safeguarding.  Critical  areas  assessed  in  this  Study  include  system 
requirements,  risk  factors,  strengths  and  weaknesses  of  the  deployed  data  safeguarding  technologies,  privacy  issues, 
and  performance.  The  objective  is  to  provide  deploy ers  and  decisions-makers  with  the  full  range  of  information 
necessary  to  implement  secure  and  interoperable  solutions  in  defence  and  security  applications.  Implementations 
analyzed  are  an  follows: 


Border  /  Traveler  Systems 

Civil  ID  /  Criminal  ID 

Surveillance 

•  U.S.  Visitor  and  Immigration  Status 

Indicatory  Technology 

•  EURODAC 

•  Japan  Biometrics  Identification  System 

•  The  Five  Country  Conference  Protocol 

•  CANPASS 

•  NEXUS 

•  Gambia  Biometric  identification 
System 

•  The  Bangladesh  Voter  Registration 
Project 

•  National  ID  Card  (Thailand) 

•  Multilingual  Automated  Registration 
System  (United  States) 

•  New  Delhi  Railway  Station 
Face  Recognition 

Surveillance  (India) 

•  Community  Protection  Face 
Recognition  System  (United 
Arab  Emirates) 

Biometric  PET  Approaches 


The  study  reviews  the  following  biometric  PET  techniques. 

•  Fuzzy  Cryptosystems 

•  Homomorphic  Encryption 

•  Local  Aggregation 

•  Multifactor  Key  Generation 

•  Noninvertible  Transforms 

•  Parametric  Key  Generation 

•  Random  Projection 

Fuzzy  Cryptosystems 

A  “sketch”  or  “vault”  is  a  secured  template  whose  development  can  be  traced  to  the  “fuzzy  vault”  scheme  proposed 
by  Juels  and  Sudan.  The  scheme  was  designed  to  encrypt  data  such  that  it  could  be  unlocked  by  similar  but  inexact 
matches.  Variants  of  the  fuzzy  vault  scheme  are  referred  to  more  generally  as  fuzzy  cryptosystems.  The  method  lent 
itself  well  to  the  protection  of  biometric  templates,  where  inputs  are  inconsistent  due  to  lighting,  rotation,  etc.  The 
mechanism  for  obfuscating  data  in  fuzzy  cryptosystems  is  to  insert  random  noise  that  resembles  genuine  minutiae 
points  or  other  features.  In  doing  so  an  attacker  cannot  easily  differentiate  genuine  features  and  false  features.  Most 
variations  of  this  system  follow  key  release  protocols,  though  some  generate  keys  from  the  biometric  data.  Fuzzy 
cryptosystems  are  perhaps  the  most  practiced  and  debated  template  protection  methods  in  academia.  As  a  result 
there  is  a  wealth  of  literature  on  the  security  vulnerabilities  and  countermeasures  to  mitigate  these  vulnerabilities. 
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making  this  method  among  the  most  mature  of  all  template  protection  methods  despite  its  many  shortcomings. 
\Homomorphic  Encryption 

An  encryption  method  is  homomorphic  if  the  structure  of  the  ciphertext  is  preserved  in  the  encryption  of  the 
plaintext.  Homomorphism  has  a  “malleable”  property,  meaning  that  the  ciphertext  can  be  converted  into  another 
ciphertext  that  also  reverts  to  the  original  plaintext.  Homomorphic  encryption  can  be  used  to  calculate  the  similarity 
between  an  input  templates  and  stored  templates  in  the  encrypted  domain,  preventing  servers  from  extracting 
sensitive  information  from  a  query.  Many  of  the  proposed  homomorphic  encryption  methods  make  use  of  existing 
cryptosystems  proposed  by  Paillier,  Goldwasser-Micali,  and  ElGamal,  all  of  which  are  semantically  secure 
protocols.  Homomorphic  encryption  may  be  applied  to  one  step  in  the  template  protection  processes. 

Local  Aggregation 

Local  aggregation  is  a  means  of  extracting  features  from  a  biometric  input  by  counting  the  number  of  features  that 
appeared  within  the  confines  of  many  randomly  generated  regions  superimposed  the  input.  Each  element  in  the  set 
contains  the  number  of  features  found  in  one  of  the  randomly  superimposed  regions.  Regions  are  generated 
according  to  a  secret  key  that  is  unique  to  every  user.  This  implies  that  each  user  has  a  unique  but  repeatable  pattern 
of  random  regions.  If  someone  were  to  present  a  stolen  image  without  its  corresponding  key,  features  would  be 
counted  incorrectly  and  the  imposter  would  be  invalidated.  Templates  produced  by  this  method  can  be  cancelled  by 
reenrolling  the  biometric  with  a  different  key,  resulting  in  a  new  pattern  of  random  regions.  The  method  is 
considerably  tolerant  to  intraclass  variations  because  it  checks  only  for  the  presence  of  features  within  wide  regions. 
Intraclass  variations  due  to  minor  rotation,  translation,  and  warping  are  not  likely  to  push  the  features  outside  the 
boundaries  of  the  regions  as  long  as  the  input  is  aligned.  Cryptographic  keys  are  computed  from  metrics  like  the 
number  of  minutiae  points  within  each  region,  which  are  easier  to  reproduce  in  subsequent  transactions  than  the 
exact  coordinates  and  angles  of  the  minutiae  points.  Overall  this  method  possesses  the  advantage  of  computational 
simplicity.  Furthermore,  because  this  approach  does  not  transform  the  biometric  features,  it  avoids  producing 
inadvertent  errors  due  to  arbitrarily  or  unreliably  designed  transform  functions. 

Multifactor  Key  Generation 

Multifactor  key  generation  combines  a  biometric  with  one  or  more  other  inputs,  such  as  a  password  or  token,  to 
produce  cryptographic  keys.  This  approach  is  essentially  a  form  of  salting,  whereby  the  user  supplies  secret 
auxiliary  information  that  influences  the  transformation  of  the  biometric  image  or  template.  Combining  biometrics 
with  other  authentication  factors  has  proven  to  be  a  reliable  means  of  generating  secure  templates  or  cryptographic 
keys.  From  a  security  perspective,  this  method  is  advantageous  because  it  combines  something  that  the  user  ‘is’  with 
something  that  the  user  ‘has’  or  ‘knows’.  The  principal  tradeoff  for  security  in  multifactor  key  generation  protocols 
is  usability,  not  necessarily  verification  performance.  Access  control  systems  that  use  multifactor  key  generation 
could  easily  become  a  hassle  to  users  who  forgot  their  password  or  token.  Furthermore,  the  need  to  present  multiple 
inputs  during  authentication  is  impractical  for  applications  like  security  checkpoints. 

Noninvertible  Transforms 

Noninvertible  transforms  are  a  generic  means  of  obfuscating  biometric  template  data  by  way  geometric 
transformation.  Transforms  are  executed  either  at  the  single  domain  or  the  feature  domain.  The  literature  has  favored 
feature  domain  transforms,  which  alter  features  such  as  the  position  of  the  minutiae  coordinates.  By  contrast,  single 
domain  transforms  alter  the  pixels  of  the  raw  image.  Figure  23  illustrates  the  manner  in  which  minutiae  points  are 
repositioned  by  a  feature  domain  geometric  transform.  The  dots  indicate  the  position  and  angle  of  fingerprint 
minutiae.  Observe  how  they  are  repositioned  after  a  Gaussian  transform.  Any  template  protection  method  could 
employ  a  noninvertible  transform  as  one  of  several  means  of  obfuscating  the  template  data.  Typically  the  parameters 
which  influence  the  transform  are  used  as  the  cancelable  property  in  a  protected  template.  For  additional  security, 
these  parameters  can  be  derived  from  a  user-supplied  input  such  as  a  password  or  a  private  key. 

Parametric  Key  Generation 

Parametric  key  generation  methods  classify  biometric  features  according  to  predefined  parameters  and  generate  a 
key  derived  from  the  parameter  outputs  rather  than  from  the  template  itself  This  approach  mitigates  the  problem  of 
intraclass  variations  because  the  shape  and  position  of  the  features  do  not  influence  the  construction  of  the  encrypted 
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template.  For  example,  rather  than  store  the  locations  of  minutiae  points,  a  fingerprint  is  classified  simply  as  having 
an  arch,  loop,  or  whorl.  Many  parameters  must  be  defined  to  ensure  uniqueness  among  templates.  The  performance 
of  any  parametric  key  generation  algorithm  depends  on  the  reliability  of  its  parameters.  A  parameter  is  considered  to 
be  reliable  if  it  consistently  returns  the  same  value  upon  many  presentations  of  the  same  biometric.  Therefore  the 
best  performing  algorithms  are  likely  to  contain  many  parameters  with  simple  definitions,  allowing  for  many 
possible  combinations  and  accurately  reproduced  queries. 

Random  Projection 

Random  projection  is  a  means  of  reducing  the  dimensionality  of  a  set  of  points  while  nearly  preserving  the  distances 
between  the  points.  Some  template  protection  methods  use  random  projection  as  a  means  to  randomly  map  minutiae 
coordinates  while  preserving  semantic  meaning  in  final  set. 


Iris  Recognition  Assessments  and  Performance  Evaluations 


Iris  recognition  technology  is  considered  a  candidate  for  use  in  biometric  PETs  due  to  the  richness  and  stability  of 
data  in  iris  images.  To  gauge  the  suitability  of  this  modality  for  use  in  PETs,  Indiana  University-Purdue  University 
Indianapolis  (lUPUI)  analyzed  previous  studies  of  iris  recognition  performance  and  conducted  a  new  study  of  iris 
recognition  performance. 

Assessment  of  Iris  Recognition  through  Variable- Quality  Iris  Datasets:  Methodology 

lUPUI  evaluated  the  ability  of  a  commercial  iris  recognition  algorithm  to  process  7  iris  image  datasets.  Matching 
was  performed  on  a  1 : 1  basis  at  the  default  1 : 1  threshold. 


Dataset  Name 

Image  Format  &  Volume 

Quality  /  Capture  Notes 

Iris  Challenge  Evaluation 
(ICE) 

640x480 , 2953  images 

Controlled  environment,  eooperative  subjeets,  illuminated  in 
the  near  infra-red  (NIR)  range 

Chinese  Aeademy  of 

Seienees  (CASIA)  2.0 

640x480 , 2400  images 

NIR 

CASIA3.0  Setl 

320x280 , 2639  images 

NIR;  eaptured  in  two  sessions,  >  one  month  interval 

CASIA  3.0  Set  2 

640x480 , 16213  images 

NIR;  eaptured  in  one  session 

CASIA  3.0  Set  3 

640x480 ,3183  images 

NIR;  eaptured  in  one  session 

West  Virginia  University 

640x480 ,1852  images 

NIR;  noisy,  heterogeneous  data,  with  obstruetions, 
ineonsistent  illumination,  out-of-foeused,  off-angle  irises 

UBIRIS 

800x600 ,  1877  images 

Color  images  aequired  in  visible  wavelengths;  Two  distinet 
sessions,  images  are  predominately  frontal  gaze. 

Multimodal  Biometrie 

Grand  Challenge  (MBGC) 

2048x2048 , 148  videos,  1 
seeond  duration 

NIR;  foeal  length  of  lOM  is  2~3  feet,  images  aequired  while 
subjeets  walked  toward  the  eamera,  primarily  frontal  view, 
subjeets  instrueted  to  look  at  iris  eameras 

lUPUI  multi-wavelength 

1280x1024 , 352  videos 

NIR;  obtained  from  both  eyes  on  two  separate  oeeasions,  time 
period  between  eaeh  data  aequisition  is  at  least  one  week,  only 
used  green  wavelength  to  test 

lUPUI  Remote 

1280x1024,731  videos,  30 
fps 

NIR;  average  iris  radius  was  95  pixels,  data  was  aequired  in 
two  sessions,  at  least  one  week  between  sessions,  6  videos  per 
iris,  variety  of  positions  and  situations 
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WVU  ctabbase  lUHJI  Remote  ctabbas 


Assessment  of  Iris  Recognition  through  Variable- Quality  Iris  Datasets:  Results  and  Analysis 

Metrics  used  to  evaluate  performance  were  quality,  false  rejection  rate  (FRR),  false  acceptance  rate  (FAR),  and 
failure  to  process  rate  (FTPR).  Results  are  shown  in  the  charts  below. 
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The  following  conclusions  can  be  drawn  from  this  multi-dataset  evaluation: 

•  Processing  and  matching  are  very  fast.  The  system  can  perform  iris  recognition  in  17.8ms  (including 
segmentation,  feature  extraction  and  1:1  matching). 

•  It  has  very  low  FAR  when  using  a  decision  threshold  (Hamming  Distance)  of  0.33.  The  HD  used  for  large-scale 
identification  would  have  resulted  in  a  0.00%  FAR  and  higher  FRR  for  all  datasets. 

•  The  system  is  capable  of  processing  visible  wavelength  images,  assuming  that  iris  patterns  are  good  enough  for 
recognition. 

•  The  system  can  work  reasonably  well  with  regular  pupil  dilation. 

Areas  for  improvement  include  the  following: 

•  The  system  is  unable  to  process  non-cooperative,  off-angle  iris  images. 

•  Since  the  commercialized  system  is  designed  for  images  acquired  from  a  specific,  paired  acquisition  system, 
preferences  in  iris  image  resolution  and  illumination  are  present.  Usually,  the  commercialized  system  can  work 
best  with  iris  images  with  resolution  about  200  pixels  across  the  iris.  However,  for  lower  resolution  or  higher 
resolution  images,  if  resolution  can  be  adjusted  properly  without  deforming  iris  patterns,  the  system  can  also 
perform  accurate  iris  recognition. 

•  Recognition  accuracy  is  affected  dramatically  by  illumination  condition,  contrast,  and  motion  blur. 

•  The  commercialized  system  would  not  work  with  dark  color  iris  images  in  visible  wavelength  due  to  the  lack  of 
recognizable  iris  patterns. 

•  Hamming  Distances  are  not  necessarily  symmetric.  When  used  for  enrollment,  lower-quality  images  resulted  in 
higher  (worse)  HDs. 

Impact  of  Compression  on  Iris  Recognition 

Data  compression  is  beginning  to  play  a  part  in  the  use  of  iris  recognition  systems.  In  the  field  applications  using 
handheld  iris  recognition  devices  often  use  wireless  communication  to  connect  to  the  central  server  for  identification 
and  verification.  While  it  will  be  ideal  to  have  wide  bandwidth  for  transmission  in  real-life  applications,  it  often 
needs  to  transmit  captured  images  or  templates  over  a  narrow-bandwidth  communication  channel.  In  this  case, 
minimizing  the  amount  of  data  to  transmit  (which  is  possible  through  compression)  minimizes  the  time  to  transmit, 
and  saves  energy.  The  study  analyzes  previously-conducted  evaluations  on  compression  techniques  including  region 
on  interest  compression. 

Iris  Recognition  with  Contact  Lenses 

Contact  lenses  with  iris  patterns  printed  on  them  can  cause  errors  in  the  iris  recognition  system.  Experts  have  studied 
the  effect  of  transparent  contact  lens  on  the  recognition  accuracy  of  several  iris  recognition  systems.  Their  data  was 
taken  in  the  same  studio  with  consistent  ambient  indoor  lighting.  They  visually  inspected  all  the  images  and  reject 
any  that  were  low  quality.  They  then  classified  the  contact-lens  wearing  subjects  into  five  different  categories  based 
on  a  visible  inspection  they  preformed  manually. 

12,003  iris  images  from  87  contact-lens-wearing  subjects  and  9,697  non-contact-lens  wearing  subjects  then 
processed  through  3  matching  algorithms.  Contact-lens  wearing  were  subjects  grouped  into  five  different  categories 
based  on  a  visible  inspection  they  preformed  manually. 


Category  0 

No  contact  lens 

Category  1 

Minimal  or  no  change  to  the  iris.  At  most  these  images  contain  a  faint  visible  edge. 

Category  2 

Images  contain  a  definite  circular  boundary  on  the  iris  area. 

Category  3 

Contains  images  which  the  lens  has  writing  on  the  lens,  the  lens  fits  improperly  causing  it  not  to 
lay  flat  on  iris,  or  the  lens  produces  an  artifact. 

Category  4 

Contains  the  iris  images  where  the  subject  is  wearing  hard  contact  lenses.  Hard  contacts  produce 
a  very  noticeable  ring  and  severely  distort  the  area  they  cover. 

DRDC  CSS  CR  201 1-29 


Results  below  illustrate  slight  false  reject  rate  (FRR)  increases  across  categories  0-3  then  substantial  increases  in 
FRR  for  category  4. 


Intra-Category  FRR  for  All  Systems 


IrisBEE 

VeriEye 

Carnegie  Mellon 


Video-based  Non-cooperative  Iris  Recognition 

As  iris  recognition  technologies  continues  to  mature,  it  will  gain  the  ability  to  acquire  an  image  without  the  end  user 
even  knowing.  This  will  make  iris  recognition  a  great  way  to  verify  people  because  it  will  cause  no  extra  burden  for 
the  user.  This  technology  also  has  great  potential  for  finding  people  of  interest,  because  a  non-cooperative  iris 
recognition  system  can  identify  people  without  the  making  the  person  aware  they  are  being  indentified.  This 
application  is  particularly  valuable  for  security  at  airport,  borders  or  any  other  any  public  place. 

Multiple  Wavelength  Based  Iris  Recognition 

NIR  images  have  been  dominant  in  iris  identification.  One  downside  to  NIR  light  is  it  requires  active  NIR 
illumination.  Visible  wavelength  iris  recognition  could  function  using  environmental  illumination.  In  addition, 
visible  wavelength  recognition  is  important  because  it  can  be  used  with  facial  recognition  for  multimodal 
biometrics.  In  the  future  regular  color  surveillance  camera  may  have  the  capability  to  perform  iris  recognition. 
Visible  wavelength  iris  recognition  has  its  own  challenges,  especially  it  is  challenging  for  dark  color  eyes  and 
remote  iris  recognition.  In  the  future,  multiple-wavelength  iris  recognition  may  attack  more  attention  and  can  work 
with  multiple-wavelength  face  recognition  together  for  video  surveillance. 

Multimodal  Eye  Recognition 

Since  the  iris  patterns  of  dark  color  eyes  could  reveal  rich  and  complex  patterns  only  under  NIR  light,  if  the  NIR  iris 
image  be  obtained  in  long  distance,  the  accuracy  of  iris  recognition  will  drop  dramatically.  And  if  we  acquire  iris 
image  in  visible  light,  the  iris  patterns  of  dark  color  eyes  will  be  hardly  visible  under  visual  light.  The  sclera,  the 
white  and  opaque  outer  protective  covering  of  the  eye,  can  also  be  used  in  human  identification.  The  sclera  image 
segmentation  process,  it  includes  image  down-sampling,  conversion  to  the  HSV  color  space,  estimation  of  the  sclera 
region,  iris  and  eyelid  detection,  eyelid  and  iris  boundary  refinement,  mask  creation,  and  mask  up-sampling.  The 
sclera  region  is  estimated  using  the  best  representation  between  two  color-based  techniques. 
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GenKey  Fingerprint-Based  PET  Performance  Evaluation 


GenKey  Technology 

GenKey,  a  leading  provider  of  biometric  PET  solution,  has  developed  a  biocryptic  algorithm  that  bridges  cryptology 
with  biometrics.  This  patented  algorithm  converts  a  biometric  image  into  Public  Key  Infrastructure  (PKI)- 
compatible  crypto  keys  that  are  irreversible  and  share  no  mathematical  relationship  with  the  biometric  sources  they 
represent.  Its  solutions  can  be  applied  to  a  variety  of  contexts  including  education,  licensing  and  healthcare.  The 
GenKey  algorithm  provides  a  means  to  enroll  and  verify  individuals  based  on  biometric  information,  such  as  a 
fingerprint.  The  algorithm  offers  a  number  of  options  which  provide  tradeoffs  between  recognition  speed,  accuracy, 
and  biometric  privacy. 

GenKey  Feature  Template  v^.  ID  Key  Enrollments 

The  GenKey  algorithm  can  perform  two  types  of  enrollment.  In  feature  template  enrollment,  discriminating  features 
from  fingerprint  images  are  extracted  and  stored  as  the  individual’s  biometric  template.  The  feature  template  is 
stored  for  later  use  and  the  biometric  image  may  be  discarded.  ID  Key  enrollment  also  extracts  discriminating 

features  from  fingerprint  images,  but 
converts  features  into  a  numerical  value 
which  represents  the  individual’s 
biometric.  At  the  conclusion  of  an  ID  Key 
enrollment,  the  ID  Key  (numerical  value)  is  stored  and  the  biometric  image  and  feature  template  may  be  discarded. 
This  type  of  enrollment  is  focus  of  IBG’s  performance  evaluation. 

IBG  tested  two  GenKey  ID  Key  types: 

•  Standard  ID  Keys  offer  performance  near  the  performance  of  the  feature  template  enrollments. 

•  Flex  ID  Keys  tradeoff  key  size  and  accuracy. 

IBG  evaluated  performance  using  the  Standard  ID  Key  as  well  as  12,  25,  56,  and  107-byte  Flex  ID  keys. 


Biometric 

Sample 


Feature 

Template 


Feature  Template  (not  a  PET) 

Standard  ID  Key  (PET) 

Flex  ID  Key  (PET) 

Accuracy 

Feature  enrollments  provide  the  most 
robust  performanee. 

Standard  ID  Keys  will 
perform  at  only  slightly 
degraded  error  rates  as 
eompared  to  feature 
templates. 

Flex  ID  Keys  provide  a 
range  of  aeeuraey 
performanee  options. 

Larger  Flex  ID  Keys 
provide  aeeuraey  similar 
to  Standard  ID  Keys. 

Privacy 

Offers  some  privaey  proteetion  for  the 
fingerprint;  having  aeeess  to  a  feature 
template  does  not  provide  a  malieious 
user  with  eapability  to  reeonstruet  the 
original  fingerprint.  With  detailed 
knowledge  of  the  GenKey  feature 
template  ereation  proeess,  a  malieious 
user  eould  gain  aeeess  to  general 
information  about  the  fingerprint 
strueture. 

ID  Keys  offer  a  privaey  advantage  over  feature  template 
enrollment.  A  malieious  user  with  aeeess  to  the  ID  Key 
eannot  praetieally  regenerate  the  fingerprint  features  or 
extraet  any  detailed  information  about  the  fingerprint 
strueture.  The  teehnique  used  to  eonvert  the  feature 
template  to  a  key  is  analogous  to  a  eryptographie  one¬ 
way  funetion.  It  is  easy  to  eompute  an  ID  Key  from  a 
feature  template;  however,  reversing  this  proeess  is 
eomputationally  infeasible. 

Throughput 

Feature  enrollments  offer  the  fastest 
seareh  speeds.  The  GenKey  algorithm  is 
eapable  of  performing  millions  of  feature 
template  matehes  per  seeond  using 
ordinary  eomputer  hardware. 

While  not  as  fast  as  feature  template  matehing,  ID  Key 
verifieations  ean  also  be  performed  at  relatively  high 
speeds  using  ordinary  eomputer  hardware;  GenKey 
estimates  rates  of  hundreds  of  thousands  of  verifieations 
per  seeond.  Mateh  speed  inereases  (i.e.  beeomes  slower) 
as  strieter  mateh  thresholds  are  applied. 

Typical  Key  Size 

128-256  bytes 

64-128  bytes 

12-107  bytes 
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GenKey  Test  Data 

IBG  used  a  collection  of  approximately  6000  flat  fingerprint  images  (left  and  right  index)  from  1200  subjects 

collected  under  indoor  office 
conditions.  Fingerprint 
images  were  collected 
through  a  500dpi  Cross 
Match  Verifier.  Each  subject 
provided  two  samples  per 
position  during  a  first  visit. 
Additionally,  approximately 
650  of  the  1,200  subjects  provided  two  samples  per  position  during  a  second  visit  which  occurred  roughly  one 
month  after  the  first. 

GenKey  Enrollment  and  Recognition  Processes 

Using  a  Software  Development  Kit  (SDK)  provided  by  GenKey,  IBG  developed  a  custom  application  that 
performed  feature  extraction,  template  creation,  and  ID  Key  creation.  Both  index  fingerprints  had  to  enroll  in  order 
for  an  enrollment  to  be  successful.  IBG  also  developed  a  custom  application  that  performed  bulk  matching.  Second- 
visit  fingerprint  images  were  used  for  recognition  (i.e.  as  probe  images)  are  compared  against  first-visit  fingerprint 
data. 


In  addition  to  processing  through  the  GenKey  algorithm,  IBG  processed  the  same  fingerprint  dataset  through  a 
widely-adopted,  minutiae-based  fingerprint  algorithm  -Neurotechnology  VeriFinger  version  6.3.  The  VeriFinger 
processing  approach  was  equivalent  to  the  GenKey  approach  described  below.  Comparing  and  contrasting  GenKey 
results  with  VeriFinger  results  will  provide  a  general  frame  of  reference  for  validating  the  commercial  viability  of 
GenKey ’s  ID  Key  technology. 


DRDC  CSS  CR  201 1-29 


Visit  2 

Left  Index  - > 

Sample  1 


0010101001... 


Left  Ihdex 
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Recognition  Process 


Match  / 
No  Match 


Visit  2 

Left  Index  - > 

Sample  1 


Visit  2 
Right  Index 
Sample  1 


Visit  2 

Right  Index  - > 

Sample  2 


Left  Ihdex 


.  I 


0010101001... 


Match  / 
No  Match 


0010101001... 


Right’Jn'dex 

I  !P^®y| 


Match  / 
No  Match 


0010101001... 


Match  / 
No  Match 


Transaction 

Decision 


Processing  volumes  are  shown  below. 


GenKey 

VeriFinger  6.N 

Subjects 

650 

650 

Genuine  comparisons 

456 

459 

Impostor  Comparisons 

550976 

560741 

GenKey  Test  Results 

Based  on  collection  and  comparison  processes  described  above,  the  following  metrics  were  generated. 


Usability  Metrics 

Accuracy  Metrics 

•  Failure  to  Encode  Rate  (FTE) 

•  Failure  to  Acquire  Rate  (FTA) 

•  Processing  Time 

•  False  Match  Rate  (FMR) 

•  False  Non-Match  Rate  (FNMR) 

•  Distribution  of  Errors  by  Subject 

Failure  to  Enroll 

Enrollment  Attempts 

FTE  Count 

FTE  Rate 

VeriFinger  6.3 

2448 

42 

1.72% 

GenKey  ID  Key 

2448 

45 

1.84% 

Failure  to  Acquire 

Recognition  Encoding  Attempts 

FTA  Count 

FTA  Rate 

VeriFinger  6.3 

1841 

1 

0.05% 

GenKey  ID  Key 

1841 

66 

3.59% 

Results  show  that  GenKey  and  Verifmger  FTE  are  roughly  equivalent,  while  GenKey  FT  A  is  substantially  higher 
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than  VeriFinger  FTA.  This  underscores  the  concept  that  GenKey  is  predicated  on  the  use  of  high-quality  images 
whose  quality  is  validated  in  real  time  at  the  point  of  capture. 


- standard 

- 107 -bit 

- 56- bit 

- 25-bit 

- 12- bit 

- VeriFinger 


l.OOE-03 

l.OOE-04 


l.OOE-03 


l.OOE-02 


False  Match  Rate 


l.OOE-01 


l.OOE-01 


Two-Position  Matching  (Left  and  Right  Index) 


Comparative  performance  assessment  with  a  challenging  dataset  demonstrates  the  viability  of  commercial, 
fingerprint-based  DETs.  Biometric  PET  performance  is  relatively  close  to  that  of  a  widely-deployed,  NIST-tested 
minutiae-based  matcher 

For  many  biometric  systems,  certain  subjects  encounter  higher  false  match  rates  than  others.  IBG  analyzed  the 
distribution  of  false  matches  across  subjects.  Subject-specific  false  match  rates  (aggregated  across  all  evaluated  ID 
Key  types  and  sizes,  and  measured  at  a  typical  threshold  of  0.45)  ranged  from  as  high  as  4.04%  and  as  low  as 
0.00%.  While  false  match  rates  generally  decline  as  key  sizes  increase,  in  some  cases  subjects  encountered  higher 
false  match  rates  at  larger  key  sizes.  For  example,  251  of  457  subjects  encountered  higher  false  match  rates  at  an  ID 
Key  size  of  56  bytes  than  at  25  bytes. 


Conclusions 


The  following  high-level  conclusions  can  be  drawn  from  this  study. 

•  Aspects  of  non-cooperative  iris  recognition  performance,  including  high  failure  to  enroll  and  false  non-match 
rates,  complicate  its  use  as  a  PET 

•  Controlled  iris  recognition  capture,  and/or  high-quality  iris  images,  will  increase  the  likelihood  of  iris  usage  as  a 
PET 

•  Comparative  performance  assessment  with  a  challenging  dataset  demonstrates  the  viability  of  commercial, 
fingerprint-based  DETs 

•  GenKey  performance  is  close  to  that  of  a  widely-deployed,  NIST-tested  minutiae-based  matcher 

•  Deployers  should  study  how  to  incorporate  key-based  approaches  into  their  application  architectures 


DRDC  CSS  CR  201 1-29 


Sommaire 


Analyse  et  meilleures  pratiques  relatives  aux  technologies  de  protection  des  donnees 
biometriques.  International  Biometric  Group  RDDC  CSS  CR  2011-29  Decembre  2011 

Contexte 


Le  present  document  constitue  le  Rapport  d’etude  PSTP09-0351BIO,  Analyse  et  meilleures  pratiques 
relatives  aux  technologies  de  protection  des  donnees  biometriques.  L’un  des  principaux  objectifs  du 
Programme  technique  de  securite  publique  (PTSP)  de  la  Communaute  de  praticiens  en  biometrie  est 
d’evaluer,  d’analyser  et  de  mettre  en  application  des  technologies  biometriques  qui  ameliorent  les 
capacites  du  pays  en  matiere  de  controle  de  I’acces,  de  la  verification  de  I’identite  et  de  la  securite  de 
commerce  electronique  tout  en  respectant  les  lois  et  les  actes  Canadians.  Ces  mesures  sont  prises  en 
collaboration  avec  les  agences  et  ministeres  du  gouvernement  canadien  responsables  de  la  securite 
nationale,  du  controle  frontalier  et  de  securite  a  la  frontiere,  avec  la  police  et  les  services  d’immigration. 

Le  ministere  federal  en  chef  pour  la  presente  etude  est  I’Agence  des  services  frontaliers  du  Canada 
(ASFC).  D’autres  partenaires  comprennent : 

•  Gendarmerie  royale  du  Canada 

•  Transports  Canada 

•  Recherche  et  developpement  pour  la  Defense  Canada  (RDDC)  -  Toronto 

•  Commissariat  a  I’information  et  a  la  protection  de  la  vie  privee  de  I’Ontario 

•  Universite  de  Toronto 

•  Indiana  University-Purdue  University  Indianapolis  (lUPUl) 

•  IBG-Canada 

L’evolution  rapide  des  technologies  biometriques  des  dernieres  annees  et  la  facilite  avec  laquelle  les 
donnees  biometriques  peuvent  etre  acquises  ont  mene  a  une  accumulation  de  vastes  bases  de 
renseignements  biometriques  divers.  Cette  tendance  se  maintiendra  etant  donne  le  rythme  constant  avec 
lequel  les  bases  de  donnees  sont  alimentees.  L’objectif  de  la  presente  etude  est  d’examiner  certaines 
questions  relatives  au  partage  et  a  la  protection  des  donnees  biometriques  dans  le  contexte  de  la 
securite  publique  au  Canada.  Au  cours  de  I’etude,  I’accent  sera  place  sur  les  donnees  biometriques  de 
I’iris  (point  principal)  et  les  empreintes  digitales  (point  secondaire). 

Les  technologies  d’amelioration  de  la  confidentialite  des  donnees  biometriques  (ACDB)  sont  parmi  les 
technologies  les  plus  prometteuses  en  matiere  de  protection  des  donnees.  Ces  technologies  misent  sur 
les  renseignements  biometriques  pour  ameliorer  et  assurer  la  protection  des  renseignements  personnels 
tout  en  protegeant  des  renseignements  et  des  biens  sensibles.  Ces  technologies  peuvent  etre  classees 
comme  suit : 

•  Donnees  biometriques  non  retragables  -  definies  par  Madame  Ann  Cavoukian,  commissaire  a  la 
protection  de  la  vie  privee  de  I’Ontario,  comme  une  nouvelle  categorie  de  technologies  d’amelioration 
de  la  vie  privee  emergentes  comme  le  cryptage  des  donnees  biometriques 

•  Donnees  biometriques  anonymes  -  systeme  oCi  les  donnees  biometriques  ne  sont  pas  reliees  a 
des  donnees  personnelles;  les  donnees  biometriques  peuvent  etre  placees  dans  un  autre  systeme 
afin  de  les  relier  a  des  renseignements  personnels 

•  Donnees  biometriques  revocables  (privees)  -  permet  a  certaines  personnes  d’obtenir  de  multiples 
identificateurs  biometriques  en  utilisant  les  memes  renseignements  biometriques;  les  identificateurs 
peuvent  etre  utilises  independamment  ou  de  maniere  anonyme 

Le  present  document  introduit  des  methodologies  et  les  resultats  d’etudes  scientifiques  qui  identifient  et 
evaluent  les  technologies  biometriques  sur  leur  capacite  a  etre  utilisees  de  maniere  securisee  (en  terme 
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de  protection  des  bases  de  donnees  biometriques).  Ces  nouvelles  technologies  biometriques  et  les 
capacites  de  protection  de  donnees  connexes  doivent  etre  conformes  aux  mandats  de  prosperite  et  de 
securite  du  gouvernement  canadien  et  doivent  prendre  en  consideration  les  questions  relatives  au  droit,  a 
I’ethique,  a  la  culture  et  a  la  protection  des  renseignements  personnels. 

Points  a  considerer  en  matiere  de  partage  et  de  protection  des  donnees  biometriques 


La  quantite  et  la  complexite  des  echantillons  de  donnees  biometriques  recueillis  par  les  systemes 
nationaux  et  internationaux  s’accroissent  et  se  propagent.  Le  niveau  de  maturite  actuel  des  donnees 
biometriques  a  facilite  I’utilisation  de  celles-ci  dans  un  vaste  eventail  d’applications  gouvernementales, 
bien  qu’il  reste  beaucoup  de  travail  a  faire  dans  la  mise  au  point  de  moyens  acceptables  pour  controler 
I’utilisation,  le  stockage  et  I’echange  de  donnees  biometriques  et  de  renseignements  personnels. 

Les  menaces  relatives  a  la  protection  des  donnees  biometriques  ont  ete  examinees  de  maniere 
approfondie.  Les  principaux  secteurs  de  risque  pour  la  protection  de  la  vie  privee  sont  decrits  ainsi : 

•  La  capacite  de  trouver  la  compatibilite  croisee  de  personnes  visees  pour  divers  services  ou  diverses 
applications  en  comparant  les  matrices  de  donnees  biometriques. 

•  La  possibilite  d’extraire  des  renseignements  sensibles  des  donnees  biometriques  stockees. 

•  L’extension  de  I’etendue  d’une  technologic  biometrique  a  I’exterieur  du  cadre  de  consentement  du 
proprietaire 

Les  diverses  menaces  de  securite  associees  au  partage  et  a  la  protection  des  donnees  peuvent  etre 
decrites  par  des  attaques  potentielles  sur  divers  elements  des  systemes  biometriques,  y  compris  la 
saisie,  le  stockage  et  la  transmission  des  donnees  biometriques.  Les  concepts  de  securite  cles  relatifs  a 
la  protection  des  donnees  comprennent  la  confidentialite,  I’integrite  et  la  revocabilite. 

La  confidentialite  permet  d’assurer  que  les  renseignements  ne  sont  pas  devoiles  a  des  personnes  non 
autorisees.  Dans  un  systeme  biometrique,  les  donnees  sont  stockees  dans  divers  sous-systemes  et 
transmises  entre  ceux-ci.  Le  stockage  et  la  transmission  des  donnees  devraient  etre  proteges  contre 
I’interception  clandestine,  la  divulgation  non  autorisee  ou  la  modification  de  donnees.  Cela  necessite  des 
techniques  cryptographiques  comme  le  cryptage  biometrique  ou  symetrique  ou  les  cryptages 
asymetriques. 

L’integrite  constitue  la  protection  de  la  precision  et  de  I’integralite  des  biens  dans  un  ensemble  de 
donnees.  Si  I’integrite  d’une  reference  biometrique  ou  le  resultat  des  divers  traitements  d’algorithme  et 
sous-systemes  ne  sont  pas  dignes  de  foi,  le  resultat  de  la  verification  ne  sera  pas  de  digne  de  foi 
egalement.  La  cryptographic  signifie  proteger  I’integrite  des  donnees  comme  les  signatures,  le  cryptage 
authentifie  et  I’horodatage. 

Line  des  questions  importantes  en  matiere  de  protection  des  systemes  biometriques  touche  la 
revocabilite  et  la  renouvelabilite  des  gabarits  de  donnees  biometriques.  Cheque  individu  possede  un 
nombre  limite  d’iris  et  de  doigts  et  done,  le  vol  d’identite  rend  le  gabarit  biometrique  correspondent 
inutilisable.  En  raison  de  la  longevite  des  caracteristiques  biometriques,  un  gabarit  biometrique 
compromis  le  sera  pour  toujours.  II  est  possible  d’empecher  certains  types  d’attaques  de  compromettre 
les  gabarits  grace  a  des  methodes  de  creation  de  gabarits  de  donnees  biometriques  renouvelables. 


Modalites  specifiques  a  prendre  en  consideration 


Les  empreintes  digitales,  la  reconnaissance  du  visage  et  la  reconnaissance  de  I’iris  sont  parmi  les 
modalites  primaires  prises  en  consideration  pour  les  applications  de  protection  des  donnees. 


Empreintes  digitales  :  forces 

Empreintes  digitales  :  faiblesses 

•  Technologie  eprouvee  et  d’une  grande  precision 

•  Le  rendement  (precision,  debit)  des  technologies  de 

•  Le  rendement  peut  diminuer  avec  le  temps 

•  Association  avec  des  applications  judiciaires 
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pointe  est  bien  documente  et  compris 
Capable  de  traiter  plusieurs  doigts  a  la  fois; 
precision  exceptionnellement  grande  pour  la  collecte 
de  10  empreintes 

Dispositifs  ergonomiques  et  faciles  a  utiliser 
Les  donnees  sur  les  empreintes  sent  presque  toutes 
interexploitables,  ce  qui  facilite  les  recherches  dans 
des  listes  de  surveillance 


•  Les  utilisateurs  peuvent  endommager 
intentionnellement  les  empreintes,  ce  qui  reduit  le 
rendement 

•  La  mise  en  application  de  systemes  a  grande 
echelle  necessite  une  expertise  hautement 
specialisee  pour  regler  et  optimiser  le  rendement 


Reconnaissance  de  visage  :  forces 

Reconnaissance  de  visage  :  faibiesses 

•  Ne  necessite  pas  de  formation  et  ne  requiert  pas 
d’effort  pour  I’utilisateur 

•  Peut  souvent  avoir  une  incidence  sur  les  ensembles 
de  donnees  d’images  existants  et  les  processus  de 
photographie  existants 

•  Capable  d’une  identification  a  distance 

•  Capable  d’une  identification  1:N  rapide  qui  ne 
necessite  qu’une  faible  capacite  de  traitement 

•  Le  rendement  s’ameliore  grace  a  la  qualite  de  la 
camera  et  a  la  resolution  d’image 

•  Susceptible  a  des  taux  eleves  de  fausse  non- 
correspondance  dans  les  applications  1:1  et  1:N 

•  Des  changements  dans  I’environnement 
d’acquisition  diminuent  la  precision  des 
correspondances 

•  Des  changements  dans  les  caracteristiques 
physiologiques  reduisent  la  precision  des 
correspondances 

•  L’eclairage  et  Tangle  de  la  camera  reduisent  la 
precision  des  correspondances 

Reconnaissance  de  i’iris  :  forces 

Reconnaissance  de  i’iris  :  faibiesses 

•  Extremement  resistante  aux  fausses 
correspondances 

•  Fonctionne  par  defaut  en  mode  d’identification 

•  Grande  stabilite  des  caracteristiques  pour  la  duree 
de  vie 

•  Fonctionnement  mains  libres 

•  Des  recherches  en  temps  reel  dans  de  vastes 
ensembles  de  donnees  (p.  ex.  :  10  millions  d’iris) 
sont  possibles  avec  des  charges  CPU  legeres 

•  L’acquisition  d’une  image  de  Tiris  necessite  plus  de 
formation  et  d’attention  que  la  plupart  des  autres 
donnees  biometriques. 

•  Malaise  de  Tutilisateur  pour  les  technologies  qui  font 
appel  aux  yeux 

•  Le  port  de  lunettes  peut  avoir  une  incidence  sur  le 
rendement. 

•  Propension  pour  de  fausses  non-correspondances 
ou  incapacite  de  saisir  les  donnees 

Mises  en  application  de  systemes  de  protection  des  donnees  biometriques 


Les  avancees  rapides  des  technologies  biometriques  de  meme  que  la  facilite  avec  laquelle  les  donnees 
biometriques  peuvent  etre  acquises  ont  mene  a  une  accumulation  de  vastes  ensembles  de  donnees 
biometriques.  Cependant,  les  rapports  portant  sur  les  meilleures  pratiques  relatives  au  partage  et  a  la 
protection  des  donnees  sent  peu  nombreux.  Les  secteurs  critiques  evalues  dans  la  presente  etude 
comprennent  les  exigences  du  systeme,  les  facteurs  de  risques,  les  forces  et  les  faiblesses  des 
technologies  de  protection  des  donnees  deployes,  les  questions  relatives  a  la  protection  de  la  vie  privee 
et  le  rendement.  L’objectif  est  de  fournir  aux  personnes  chargees  du  deploiement  et  des  decisions  une 
panoplie  de  renseignements  necessaires  pour  mettre  en  place  des  solutions  securisees  et 
interexploitables  pour  les  applications  de  defense  et  de  securite.  Les  mises  en  application  analysees 
sont : 


Systemes  frontiers  /  voyageur 

identification  civii  /  indentification 
criminei 

Surveiiiance 

•  U.S.  Visitor  and  Immigration  Status 
Indicatory  Technology 

•  EURODAC 

•  Japan  Biometrics  Identification  System 

•  The  Five  Country  Conference  Protocol 

•  CAN PASS 

•  NEXUS 

•  Gambia  Biometric  identification 
System 

•  The  Bangladesh  Voter 

Registration  Project 

•  National  ID  Card  (Thailande) 

•  Multilingual  Automated 

Registration  System  (Etats-Unis) 

•  New  Delhi  Railway  Station 
Face  Recognition 
Surveillance  (Inde) 

•  Community  Protection 

Face  Recognition  System 
(Emirats  arabes  unis) 
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Approches  des  techniques  ACDB 

L’etude  examine  les  techniques  ACDB  suivantes  : 


•  Systemes  cryptographiques  flous 

•  Chiffrement  homomorphique 

•  Rassemblement  local 

•  Generation  de  cle  multifactorielie 

•  Transformations  sans  inversion 

•  Generation  de  cle  parametrique 

•  Projection  aleatoire 

Systemes  cryptographiques  flous 

Une  «  esquisse  »  ou  «  enceinte  »  est  un  gabarit  securise  dont  I’elaboration  peut  etre  reliee  au  projet 
«  enceinte  floue  »  propose  par  duels  et  Sudan.  Ce  projet  a  ete  congu  pour  chiffrer  des  donnees  de  telle 
maniere  qu’elles  pourraient  etre  deverrouillees  par  des  correspondences  semblables,  mais  inexactes. 
Generalement,  on  appelle  «  systemes  cryptographiques  flous  »  les  diverses  versions  du  projet  enceinte 
floue.  La  methods  se  prete  bien  a  la  protection  de  gabarits  biometriques  dans  lesquels  les  entrees  sent 
irregulieres  en  raison  de  I’eclairage,  de  la  rotation,  etc.  Le  mecanisme  de  masquage  des  donnees  dans 
les  systemes  cryptographiques  flous  consists  a  inserer  un  bruit  aleatoire  qui  ressemble  a  des  points 
caracteristiques  ou  autres  caracteristiques  authentiques.  De  cette  maniere,  I’attaquant  ne  peut  facilement 
differencier  les  caracteristiques  authentiques  des  fausses  caracteristiques.  La  plupart  des  versions  de  ce 
systems  respectent  les  protocoles  des  de  liberation,  bien  que  certaines  generent  des  des  a  partir  des 
donnees  biometriques.  Les  systemes  cryptographiques  flous  sont  peut-etre  les  methodes  de  protection 
de  gabarit  les  plus  utilisees  et  les  plus  controversees  dans  le  milieu  universitaire.  Par  consequent,  il 
exists  une  panoplie  de  documents  ecrits  sur  la  vulnerabilite  relative  a  la  securite  et  aux  contre-mesures 
pour  attenuer  celles-ci,  faisant  de  cette  methods,  malgre  ses  nombreuses  faiblesses,  I’une  des  plus 
raisonnees  de  toutes  les  methodes  de  protection  de  gabarit. 

Chiffrement  homomorphique 

Une  methods  de  chiffrement  est  homomorphique  si  la  structure  du  cryptogramme  est  conserves  dans  le 
chiffrement  du  texts  en  clair.  L’homomorphisme  possede  une  caracteristique  «  malleable  »,  c’est-a-dire 
que  le  cryptogramme  peut  etre  convertit  en  un  autre  cryptogramme,  lequel  renvois  au  texts  en  clair 
original.  Le  chiffrement  homomorphique  peut  etre  utilise  pour  calculer  la  ressemblance  entre  des  gabarits 
de  donnees  d’entree  et  des  gabarits  stockes  dans  le  domains  du  chiffrement,  ce  qui  empeche  les 
serveurs  d’extraire  des  renseignements  sensibles  lors  d’une  interrogation.  Plusieurs  des  methodes  de 
chiffrement  homomorphiques  proposees  utilisent  des  systemes  de  chiffrements  existants  proposes  par 
Paillier,  Goldwasser-Micali  et  EIGamal  et  elles  constituent  toutes  des  protocoles  semantiquement 
securises.  Le  chiffrement  homomorphique  peut  etre  utilise  pour  une  etape  des  processus  de  protection 
des  gabarits. 

Rassemblement  local 

Le  rassemblement  local  sert  a  extraire  des  caracteristiques  d’une  donnee  biometrique  en  comptant  le 
nombre  de  caracteristiques  qui  apparaissent  a  I’interieur  de  plusieurs  regions  generees  aleatoirement  et 
superposees  a  la  donnee.  Chaque  element  de  cet  ensemble  comprend  le  nombre  de  caracteristiques 
retrouvees  dans  une  des  regions  superposees  aleatoirement.  Les  regions  sont  generees  selon  une  cle 
secrete  unique  a  chaque  utilisateur.  Cela  signifie  que  chaque  utilisateur  possede  un  regroupement 
reproductible  de  regions  aleatoires.  Si  quelqu’un  presentait  une  image  volee  sans  posseder  la  cle 
correspondante,  les  caracteristiques  seraient  comptees  incorrectement  et  I’imposteur  serait  invalide.  Les 
gabarits  generes  par  cette  methode  peuvent  etre  annules  en  reinscrivant  la  donnee  biometrique  a  I’aide 
d’une  autre  cle,  ce  qui  permet  de  former  un  nouveau  regroupement  de  regions  aleatoires.  Cette  methode 
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tolere  tres  bien  les  variances  intraclasses,  car  elle  verifie  uniquement  la  presence  de  caracteristiques  au 
sein  de  larges  regions.  Les  variances  intraclasses  engendrees  par  une  faible  rotation,  un  petit 
deplacement  et  une  petite  deformation  ne  devraient  pas  faire  sortir  les  caracteristiques  des  limites  des 
regions  tant  et  aussi  longtemps  que  la  donnee  est  alignee.  Les  cles  cryptographiques  sont  calculees  avec 
le  systeme  metrique  comme  le  nombre  de  points  caracteristiques  de  chaque  region.  En  effet,  les 
caracteristiques  sont  plus  faciles  a  reproduire  dans  les  transactions  subsequentes  que  les  coordonnees 
et  les  angles  exacts  des  points  caracteristiques.  Sur  I’ensemble,  cette  methode  possede  I’avantage  de  la 
simplicite  computationnelle.  De  plus,  etant  donne  que  cette  approche  ne  transforme  pas  les 
caracteristiques  des  donnees  biometriques,  elle  ne  produit  pas  d’erreurs  involontaires  causees  par  des 
fonctions  de  transformations  congues  arbitrairement  ou  de  maniere  peu  fiable. 

Generation  de  de  multifadorielle 

La  generation  de  cle  multifactorielle  combine  une  donnee  biometrique  et  une  autre  ou  d’autres  donnees 
d’entree  comme  un  mot  de  passe  ou  un  jeton  d’authentification,  pour  produire  des  cles  cryptographiques. 
Cette  approche  est,  essentiellement,  une  forme  de  «  salage  »  dans  lequel  I’utilisateur  fournit  un 
renseignement  auxiliaire  secret  qui  a  une  incidence  sur  la  transformation  de  I’image  biometrique  ou  du 
gabarit.  La  combinaison  de  donnees  biometriques  et  d’autres  facteurs  d’authentification  s’est  prouvee  un 
moyen  fiable  de  generer  des  gabarits  ou  des  cles  cryptographiques  securises.  D’une  perspective  de 
securite,  cette  methode  est  avantageuse,  car  elle  combine  quelque  chose  que  I’utilisateur  «  est  »  a 
quelque  chose  que  I’utilisateur  «  possede  »  ou  «  connait  ».  Le  principal  compromis  en  matiere  de 
securite  avec  les  protocoles  de  generation  de  cle  multifactorielle  est  la  convivialite,  pas  necessairement  le 
rendement  de  verification.  Les  systemes  de  controle  de  I’acces  qui  utilisent  la  generation  de  cle 
multifactorielle  pourraient  facilement  devenir  contrariants  pour  les  utilisateurs  qui  oublient  leur  mot  de 
passe  ou  leur  jeton  d’authentification.  De  plus,  le  besoin  d’entrerde  multiples  donnees  pendant 
I’authentification  est  impraticable  pour  les  applications  comme  les  points  de  controle  de  surete. 

Transformations  sans  inversion 

Les  transformations  sans  inversion  sont  un  moyen  generique  de  masquer  les  donnees  du  gabarit 
biometrique  grace  a  la  transformation  geometrique.  Les  transformations  sont  effectuees  soit  dans  le 
domaine  unique  ou  I’espace  des  attributs.  La  documentation  favorise  les  transformations  de  I’espace  des 
attributs,  lesquelles  modifient  les  caracteristiques  comme  la  position  des  coordonnees  caracteristiques. 
Par  centre,  les  transformations  du  domaine  unique  modifient  les  pixels  de  I’image  brute.  La  Figure  23 
illustre  la  maniere  avec  laquelle  les  points  caracteristiques  sont  repositionnes  grace  a  une  transformation 
geometrique  de  I’espace  des  attributs.  Les  points  indiquent  la  position  et  Tangle  des  caracteristiques 
d’une  empreinte  digitale.  On  peut  remarquer  comment  ils  sont  repositionnes  apres  une  transformation 
Gaussian.  Toute  methode  de  protection  de  gabarit  pourrait  utiliser  une  transformation  sans  inversion 
comme  moyen  de  masquer  les  donnees  du  gabarit.  Typiquement,  les  parametres  qui  ont  une  incidence 
sur  la  transformation  sont  utilises  comme  propriete  revocable  dans  un  gabarit  protege.  Pour  une  securite 
accrue,  ces  parametres  peuvent  etre  empruntes  a  une  donnee  fournie  par  Tutilisateur  comme  un  mot  de 
passe  ou  une  cle  privee. 

Generation  de  cie  parametrique 

Les  methodes  de  generation  de  cle  parametrique  classent  les  caracteristiques  biometriques 
conformement  aux  parametres  predefinis  et  generent  une  cle  issue  des  donnees  de  sortie  du  parametre 
plutot  que  du  gabarit.  Cette  approche  attenue  le  probleme  des  variances  intraclasses  puisque  la  forme  et 
la  position  des  caracteristiques  n’ont  pas  d’incidence  sur  la  construction  du  gabarit  chiffre.  Par  example, 
plutot  que  de  Stocker  les  emplacements  des  points  caracteristiques,  une  empreinte  digitale  est  classee 
selon  son  arche,  sa  boucle  ou  son  tourbillon.  De  nombreux  parametres  doivent  etre  definis  pour  assurer 
son  unicite  parmi  les  gabarits.  Le  rendement  de  tout  algorithme  de  generation  de  cle  parametrique 
depend  de  la  fiabilite  de  ses  parametres.  Un  parametre  est  considers  fiable  s’il  obtient  toujours  la  meme 
valeur  lorsqu’on  lui  presente  la  meme  donnee  biometrique.  Les  algorithmes  les  plus  efficaces 
comprennent  fort  probablement  de  nombreux  parametres  et  des  definitions  simples,  permettant  de 
nombreuses  combinaisons  et  des  interrogations  reproduites  avec  precision. 
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Projection  aleatoire 

La  projection  aleatoire  est  un  moyen  de  reduire  la  dimensionnalite  d’un  ensemble  de  points  tout  en 
preservant  les  distances  entre  ces  points.  Certaines  methodes  de  protection  des  gabarits  utilisent  la 
projection  aleatoire  comme  moyen  pour  tracer  aleatoirement  les  coordonnees  caracteristiques  tout  en 
preservant  la  signification  semantique  dans  I’ensemble  final. 


Evaluation  de  la  reconnaissance  de  I’iris  et  evaluation  du  rendement 


La  technologie  de  reconnaissance  de  I’iris  est  consideree  une  technologie  candidate  pour  les 
technologies  ACDB  en  raison  de  la  richesse  et  de  la  stabilite  des  donnees  relatives  aux  images  de  I’iris. 
Pour  jauger  la  pertinence  de  cette  modalite  dans  les  technologies  ACDB,  I’Indiana  University-Purdue 
University  Indianapolis  (lUPUl)  a  analyse  des  etudes  anterieures  relatives  au  rendement  de  la 
reconnaissance  de  I’lris  et  a  mene  une  nouvelle  etude  sur  ce  rendement. 

Evaluation  de  la  reconnaissance  de  I’iris  par  le  biais  des  ensembles  de  donnees  sur  des  iris  variable- 
qualite :  methodologie 

L’lUPUl  a  evalue  la  capacite  d’un  algorithms  de  reconnaissance  de  I’iris  commercial  de  traiter  sept  (7) 
ensembles  de  donnees  d’images  d’iris.  La  correspondance  a  ete  effectuee  sur  une  base  1:1  a  un  seuil  de 
defaillance  de  1:1. 


Nom  de  I’ensemble  de 
donnees 

Format  et  volume  de 
rimage 

Notes  qualite/saisie 

Iris  Challenge  Evaluation 
(ICE) 

640  X  480,  2  953  images 

Environnement  controls,  sujets  cooperatifs,  eclaire  dans 
le  proche  infrarouge  (NIR) 

Chinese  Academy  of 
Sciences  (CASIA)  2.0 

640  X  480,  2  400  images 

NIR 

CASIA  3.0  Set  1 

320  X  280,  2  639  images 

NIR;  saisie  en  deux  sessions,  >  d’un  mois  d’intervalle 

CASIA  3.0  Set  2 

640  X  480,  16  213  images 

NIR;  saisie  en  une  session 

CASIA  3.0  Set  3 

640  X  480,  3  183  images 

NIR;  saisie  en  une  session 

West  Virginia  University 

640  X  480,  1  852  images 

NIR;  bruyante,  donnees  heterogenes,  avec  masquages, 
eclairage  inconsistant,  flous,  iris  decales 

UBIRIS 

800  X  600,  1  877  images 

Images  couleur  acquises  dans  les  longueurs  d’ondes 
visibles;  deux  sessions  distinctes,  les  images  sent 
majoritairement  de  face 

Multimodal  Biometric 
Grand  Challenge 
(MBGC) 

2  048x2  048,  148  videos, 
durees  de  1  seconde 

NIR;  distance  focale  du  lOM  est  de  2  a  3  pieds,  les 
images  acquises  lorsque  les  sujets  marchent  en 
direction  de  la  camera,  majoritairement  des  prises  de 
face,  les  sujets  regoivent  la  consigns  de  regarder  la 
camera  de  balayage  des  iris 

lUPUl  multi-wavelength 

1  280  X  1  024,  352  videos 

NIR;  image  des  2  yeux  prise  a  2  moments  distincts,  la 
duree  entre  cheque  acquisition  de  donnees  est  d’au 
moins  une  semaine;  utilise  uniquement  les  ondes  vertes 
pour  les  essais 

lUPUl  Remote 

1  280  X  1  024,  731  videos, 
30  fps 

NIR;  le  rayon  d’iris  moyen  etait  de  95  pixels,  les  donnees 
ont  ete  acquises  en  deux  sessions,  au  moins  une 
semaine  entre  cheque  session,  six  (6)  videos  par  iris, 
variete  de  position  et  de  situations 
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WVUcbtabase  lUnJI  Retncite  cbtabas 


Evaluation  de  la  reconnaissance  de  I’iris  par  le  dials  d’ensembles  de  donnees  sur  les  iris  variable-qualite  : 
resultats  et  analyse 

Les  facteurs  utilises  pour  I’evaluation  du  rendement  etaient  la  qualite,  le  taux  de  faux  rejets  (TFR),  le  taux 
d’acceptation  erronee  (TAE)  et  le  taux  d’echec  de  traitement  (FTPR).  Les  resultats  sont  lllustres  dans  les 
tableaux  ci-dessous : 
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Dataset-Based  Iris  Recognition  Accuracy 


a: 

a: 


45.00% 

40.00% 

35.00% 

30.00% 

25.00% 

20.00% 

15.00% 

10.00% 

5.00% 

0.00% 


< 

•  I 

’Ul  Ml 

JLl 

'IV 

Vj 

rE: 

♦ 

M 

B( 

H 

:\siA 

3.C 

I 

i 

►  \ 

' 

u 

[IRIS 

(PS 

111 

1 

) 

B 

▼ 

1C 

e 

1.00E-07  1.00E-06  1.00E-05  1.00E-04 

FAR 


1  .OOE-03 


1.00E-02 


Failure  to  Process  Rates 


■19.07% 


al 

Cl. 


DRDC  css  CR  201 1-29 


Les  conclusions  suivantes  peuvent  etre  tirees  de  cette  evaluation  d’ensembles  de  donnees  multiples  : 

•  Le  traitement  et  la  correspondance  sont  tres  rapides.  Le  systeme  peut  effectuer  une  reconnaissance 
de  I’iris  en  17,8  ms  (y  compris  la  segmentation,  I’extraction  de  caracteristiques  et  la  correspondance 
1:1). 

•  II  possede  un  faible  taux  d’echec  d’acquisition  (FAR)  lorsqu’on  utilise  un  seuil  de  decision  (distance 
de  Hamming)  de  0,33.  La  distance  de  Hamming  utilisee  pour  I’identification  a  grande  echelle  aurait 
eu  comme  resultat  un  taux  d’echec  d’acquisition  (FAR)  de  0,00  %  et  un  taux  de  faux  rejets  (TFR)  plus 
eleves  pour  tous  les  ensembles  de  donnees. 

•  Le  systeme  est  en  mesure  de  traiter  des  images  dans  les  longueurs  d’ondes  visibles,  a  condition  que 
les  formes  d’iris  soient  bonnes  pour  la  reconnaissance. 

•  Le  systeme  fonctionne  raisonnablement  bien  lorsque  les  pupilles  sont  normalement  dilatees. 

Les  points  a  ameliorer  sont  les  suivants  : 

•  Le  systeme  est  incapable  de  traiter  des  images  non  cooperatives  et  decalees. 

•  Puisque  le  systeme  commercialise  est  congu  pour  des  images  recueillies  a  I’aide  d’un  systeme 
d’acquisition  precis  et  jumele,  il  existe  des  preferences  en  matiere  de  resolution  de  I’image  et 
d’eclairage.  En  general,  le  systeme  commercialise  fonctionne  mieux  avec  des  images  d’iris  d’une 
resolution  d’environ  200  pixels  surtout  I’iris.  Dependant,  le  systeme  sera  en  mesure  d’effectuer  une 
reconnaissance  de  I’iris  precise  si  la  resolution  de  I’image  peut  etre  adaptee  adequatement  sans 
deformer  I’iris. 

•  L’eclairage,  le  contraste  et  le  fou  anime  ont  une  grande  Incidence  sur  la  precision  de  la 
reconnaissance. 

•  Le  systeme  commercialise  ne  peut  pas  fonctionner  avec  des  images  d’iris  fences  dans  les  longueurs 
d’ondes  visibles  en  raison  du  manque  d’iris  reconnaissables. 

•  Les  distances  de  Hamming  ne  sont  pas  necessairement  symetriques.  Lorsqu’elles  sont  utilisees  pour 
I’enregistrement,  les  images  de  faible  qualite  ont  obtenu  de  plus  grandes  distances  de  Hamming 
(moins  bonnes). 

Incidence  de  la  compression  sur  la  reconnaissance  de  I’iris 

La  compression  des  donnees  commence  a  jouer  un  role  dans  I’utilisation  des  systemes  de 
reconnaissance  de  I’iris.  Sur  le  terrain,  les  applications  qui  utilisent  des  dispositifs  de  reconnaissance  de 
I’iris  portatifs  utilisent  souvent  des  communications  sans  fil  pour  se  brancher  au  serveur  central  lors  de 
I’identification  et  de  la  verification.  Bien  qu’il  soit  ideal  d’avoir  une  bande  passante  large  pour  la 
transmission  des  applications  en  temps  reel,  il  faut  souvent  transmettre  des  images  saisies  ou  des 
gabarits  sur  un  canal  de  communication  a  bande  passante  etroite.  Dans  ce  cas,  il  faut  mlnimiser  la 
quantite  de  donnees  a  transmettre  (ce  qui  est  possible  grace  a  la  compression)  afin  de  diminuer  le  temps 
necessaire  pour  les  transmissions  et  d’economiser  de  I’energie.  L’etude  a  analyse  des  evaluations 
menees  anterieurement  sur  les  techniques  de  compression,  y  compris  la  compression  des  regions 
d’interet. 

Reconnaissance  de  I’iris  avec  des  verres  de  contact 

Les  verres  de  contact  imprimes  peuvent  causer  des  erreurs  dans  le  systeme  de  reconnaissance  de  I’iris. 
Les  experts  ont  etudie  I’effet  des  verres  de  contact  transparents  sur  la  precision  de  la  reconnaissance  de 
plusieurs  systemes.  Leurs  donnees  ont  ete  prises  dans  le  meme  studio  avec  un  eclairage  ambiant 
interieur  constant.  Les  experts  ont  inspecte  visuellement  toutes  les  images  et  rejete  toutes  celles  de  faible 
qualite.  Ns  ont  ensuite  classe  les  sujets  portant  des  verres  de  contact  en  cinq  (5)  categories  distinctes. 
Douze  mille  trois  (12  003)  images  d’iris  provenant  de  87  sujets  portant  des  verres  de  contact  et 
9  697  images  de  sujets  ne  portant  pas  de  verres  de  contact  ont  ete  traitees  par  trois  (3)  algorithmes  de 
correspondance.  Les  sujets  portant  des  verres  de  contact  ont  ete  regroupes  en  cinq  (5)  categories 
differentes  selon  une  inspection  visuelle. 
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Categorie  0 

Aucun  verre  de  contact 

Categorie  1 

Aucune  modification  ou  modification  minima  de  I’iris.  Tout  au  plus,  ces  images 
presentent  un  bord  a  peine  visible. 

Categorie  2 

Les  images  presentent  une  limite  circulaire  definie  sur  la  zone  de  I’iris. 

Categorie  3 

Les  images  presentent  des  verres  munis  d’inscriptions,  des  verres  qui  s’ajustent  mal  et 
ne  sent  pas  a  plat  sur  I’iris  ou  des  verres  qui  produisent  un  artefact. 

Categorie  4 

Les  images  d’iris  ou  les  sujets  portent  des  verres  de  contact  durs.  Les  verres  de  contact 
durs  produisent  un  cercle  tres  distinct  et  deferment  la  zone  qu’ils  recouvrent. 

Les  resultats  ci-dessous  illustrent  de  legeres  augmentations  du  taux  de  faux  rejets  (TFR)  dans  les 
categories  0  a  3,  et  des  augmentations  importantes  du  TFR  dans  la  categorie  4. 


Intra-Category  FRR  for  All  Systems 


IrisBEE 

VeriEye 

Carnegie  Mellon 


Reconnaissance  de  I’iris  non-cooperative  basee  sur  une  video 

Au  fur  et  a  mesure  que  les  technologies  de  reconnaissance  de  I’iris  evoluent,  elles  seront  en  mesure 
d’acquerir  une  image  sans  que  I’utilisateur  final  ne  s’en  rende  compte.  Cela  fera  de  la  reconnaissance  de 
I’iris  une  excellente  technique  de  verification  puisqu’il  n’y  aura  pas  de  demande  d’effort  supplementaire 
pour  I’utilisateur.  Cette  technologie  constitue  egalement  un  bon  outil  potentiel  pour  la  recherche  de 
personnes  d’interet  puisqu’un  systeme  de  reconnaissance  de  I’iris  non-cooperatif  permet  d’identifier  des 
personnes  sans  que  celles-ci  ne  soient  mises  au  courant.  Cette  application  est  tout  particulierement 
interessante  pour  la  securite  dans  les  aeroports,  aux  frontieres  et  dans  tout  autre  place  publique. 

Reconnaissance  de  I’iris  basee  sur  les  longueurs  d’ondes  multiples 

Les  images  NIR  jouent  depuis  longtemps  un  role  predominant  dans  I’identification  de  I’iris.  L’un  des 
desavantages  de  la  lumiere  NIR  est  qu’elle  necessite  un  eclairage  NIR  actif.  La  reconnaissance  de  I’iris 
basee  sur  les  longueurs  d’ondes  visibles  pourrait  fonctionner  a  I’aide  d’un  eclairage  environnemental.  De 
plus,  la  reconnaissance  basee  sur  les  longueurs  d’ondes  visibles  est  importante,  car  elle  peut  etre  utilisee 
de  concert  avec  la  reconnaissance  faciale  pour  les  donnees  biometriques  multimodales.  Dans  quelques 
annees,  les  cameras  de  surveillance  en  couleur  normales  pourraient  etre  en  mesure  d’effectuer  la 
reconnaissance  de  I’iris.  La  reconnaissance  de  I’iris  basee  sur  les  longueurs  d’ondes  visibles  presente 
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ses  defis,  notamment  pour  les  yeux  de  couleur  foncee  et  pour  la  reconnaissance  a  distance.  On  pourrait 
voir  apparaitre  dans  I’avenir  un  systeme  de  reconnaissance  de  I’iris  a  longueurs  d’ondes  multiples,  lequel 
pourrait  etre  utilise  de  concert  avec  un  systeme  de  reconnaissance  faciale  a  longueurs  d’ondes  multiples 
pour  la  surveillance  video. 

Reconnaissance  multimodale  des  yeux 

Les  motifs  complexes  et  detailles  des  yeux  de  couleur  foncee  ne  peuvent  etre  reveles  que  sous  une 
lumiere  NIR  et  c’est  pourquoi  une  image  d’iris  obtenue  a  longue  distance  est  beaucoup  moins  precise.  Si 
on  obtient  une  image  d’iris  a  I’aide  d’une  lumiere  visible,  les  motifs  de  I’iris  des  yeux  de  couleur  foncee 
seront  pratiquement  invisibles.  La  sclerotique,  la  couche  protectrice  exterieure  blanche  et  opaque  de 
I’oeil,  peut  egalement  etre  utilisee  pour  identifier  les  humains.  Le  processus  de  segmentation  de  I’image 
de  la  sclerotique  comprend  le  sous-echantillonnage  de  I’image,  la  conversion  de  I’espace  couleur  HSV, 
I’estimation  de  la  region  de  la  sclerotique,  la  detection  de  I’iris  et  de  la  paupiere,  le  raffinage  des  limites  de 
la  paupiere  et  de  I’iris,  la  creation  d’un  masque  et  le  surechantillonnage  du  masque.  La  region  de  la 
sclerotique  est  estimee  a  I’aide  de  la  meilleure  representation  entre  deux  techniques  fondees  sur  les 
couleurs. 


Evaluation  du  rendement  des  technologies  ACDB  basees  sur  les  empreintes  digitales  GenKey 


Technologie  GenKey 


GenKey,  un  important  fournisseur  de  solutions  pour  I’amelioration  de  la  confidentialite  des  donnees 
biometriques,  a  developpe  un  algorithms  biocryptique  qui  fait  le  pont  entre  la  cryptologie  et  les  donnees 
biometriques.  Get  algorithms  brevets  convertit  une  image  biometrique  en  cles  cryptographiques 
compatibles  avec  I’infrastructure  a  cles  publiques  (ICP)  qui  sont  irreversibles  et  ne  partagent  aucune 
relation  mathematique  avec  les  sources  biometriques  qu’elles  representent.  Ses  solutions  peuvent  etre 
appliquees  a  une  variete  de  contextes,  y  compris  I’education,  I’homologation  et  les  soins  de  sante. 
L’algorithme  GenKey  offre  un  moyen  d’enregistrer  et  de  controler  des  individus  en  se  basant  sur  les 
renseignements  biometriques  comme  les  empreintes  digitales.  L’algorithme  offre  diverses  options  entre 
la  Vitesse  de  reconnaissance,  la  precision  et  la  confidentialite  des  donnees  biometriques. 

Gabarit  de  caracteristiques  GenKey  par  rapport  aux  enregistrements  de  de  d’identification 


Biometric 

Sample 


Feature 

Template 


L’algorithme  GenKey  peut  effectuer  deux  types  d’enregistrement.  Dans  le  cas  de  I’enregistrement  du 
gabarit  de  caracteristiques,  les  caracteristiques  discriminantes  des  images  d’empreintes  digitales  sont 

extraites  et  stockees  dans  un  gabarit 
de  donnees  biometriques  pour  un 
individu  donne.  Le  gabarit  des 
caracteristiques  est  stocke  pour  usage 
ulterieur  et  I’image  biometrique  peut 
etre  supprimee.  L’enregistrement  de  cle  d’identification  permet  aussi  d’extraire  des  caracteristiques 
discriminantes  des  images  d’empreintes  digitales,  mais  il  convertit  les  caracteristiques  en  une  valeur 
numerique  qui  represente  les  donnees  biometriques  de  I’individu.  A  la  fin  de  I’enregistrement  d’une  cle 
d’identification,  la  cle  (valeur  numerique)  est  stockee  et  I’image  biometrique  et  le  gabarit  de 
caracteristiques  peuvent  etre  supprimes.  Ce  type  d’enregistrement  est  le  centre  d’interet  de  revaluation 
du  rendement  d’IBG. 


IBG  a  mis  a  I’essai  deux  types  de  cle  d’identification  GenKey  : 

•  Les  cles  d’identification  standard  offrent  un  rendement  semblable  au  rendement  des 
enregistrements  du  gabarit  de  caracteristiques. 

•  Le  desavantage  des  cies  d’identification  fiexibies  est  la  taille  et  la  precision  des  cles. 
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IBG  a  evalue  le  rendement  des  cles  d’identification  standard,  de  meme  que  celui  des  cles  d’indentification 
flexibles  de  12,  25,  56  et  107  octets. 


Gabarit  de  caracteristiques 
(pas  une  technoiogie  ACDB) 

Cle  d’identification 
standard 

(technoiogie  ACDB) 

Cle  d’identification 
flexible 

(technoiogie  ACDB) 

Precision 

Les  enregistrements  des 
caracteristiques  offrent  le  rendement 
le  plus  fiable. 

Les  cles  d’identification 
standard  fonctionnent 
avec  des  taux  d’erreurs 
peu  sieves 

comparativement  aux 
gabarits  de 
caracteristiques. 

Les  cles  d’identification 
flexibles  offrent  une 
variete  d’options  de 
precision  en  matiere  de 
rendement.  Les  cles 
plus  grosses  offrent  une 
precision  semblable  aux 
cles  standard. 

Confidentiaiite 

Offre  une  certaine  confidentiaiite 
pour  les  empreintes  digitales;  I’acces 
a  un  gabarit  de  caracteristiques  ne 
donne  pas  a  un  utilisateur  malveillant 
la  capacite  de  reconstruire 

I’empreinte  digitale  originale.  Avec 
une  connaissance  du  processus  de 
creation  du  gabarit  de 
caracteristiques  GenKey,  un 
utilisateur  malveillant  pourrait 
acceder  aux  renseignements 
generaux  relatifs  a  la  structure  de 
I’empreinte. 

Les  cles  d’identification  offrent  un  avantage  de 
confidentiaiite  par  rapport  a  I’enregistrement  de 
gabarits  de  caracteristiques.  Un  utilisateur 
malveillant  ayant  acces  a  une  cle  d’identification 
ne  peut  pratiquement  pas  regenerer  les 
caracteristiques  des  empreintes  digitales  ou 
extraire  des  renseignements  detailles  relatifs  a  la 
structure  de  I’empreinte.  La  technique  utilises  pour 
convertir  le  gabarit  de  caracteristiques  en  une  cle 
est  semblable  a  une  fonction  cryptographique 
unidirectionnelle.  II  est  facile  de  calculer  une  cle 
d’identification  a  partir  d’un  gabarit  de 
caracteristiques,  cependant  il  est  impossible,  sur  le 
plan  des  calculs,  de  renverser  le  processus. 

Debit  de  traitement 

Les  enregistrements  de 
caracteristiques  permettent  les 
recherches  les  plus  rapides. 
L’algorithme  GenKey  est  en  mesure 
d’effectuer  des  millions  de 
correspondences  du  gabarit  de 
caracteristiques  par  seconds  a  I’aide 
de  materiel  informatique  normal. 

Bien  que  pas  aussi  efficace  que  la  correspondance 
des  gabarits  de  caracteristiques,  la  verification  des 
cles  d’identification  peut  aussi  etre  effectuee  assez 
rapidement  a  I’aide  de  materiel  informatique 
ordinaire.  GenKey  precede  a  I’estimation  de 
centaines  de  milliers  de  verifications  par  seconds. 

La  Vitesse  de  correspondance  augments  (c.-a-d. 
un  ralentissement)  au  fur  et  a  mesure  que  des 
seuls  de  correspondences  plus  strictes  sont 
appliques. 

Taiiie  type  de  ia  cie 

128-256  octets 

64-128  octets 

12-107  octets 

Donnees  d’essai  du  GenKey 

IBG  a  utilise  une  banque  d’environ  6  000  images  d’empreintes  digitales  plates  (index  gauche  et  droit) 

provenant  de  1  200  sujets, 
lesquelles  ont  ete 
recueillies  a  I’interieur.  Les 
images  des  empreintes 
digitales  ont  ete  recueillies 
a  I’aide  d’un  Cross  Match 
Verifier  de  500  ppp. 
Chaque  sujet  a  donne 

deux  echantillons  par  doigt  lors  de  la  premiere  visite.  Par  ailleurs,  environ  650  des  1  200  sujets  ont  offert 
deux  echantillons  par  doigt  lors  de  leur  deuxieme  visite,  laquelle  a  eu  lieu  environ  un  mois  apres  la 
premiere. 
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Processus  d’enregistrement  et  de  reconnaissance  GenKey 

A  I’aide  d’une  trousse  de  developpement  de  logiciel  (SDK)  fournie  par  GenKey,  IBG  a  developpe  une 
application  personnalisee  qui  a  permis  d’extraire  les  caracteristiques,  de  creer  un  gabarit  et  de  creer  une 
cle  d’identification.  Les  deux  empreintes  de  I’index  devaient  s’etre  enregistrees  afin  que  la  saisie  soit 
consideree  un  succes.  IBG  a  aussi  developpe  une  application  personnalisee  qui  effectuait  la 
correspondance  en  bloc.  Les  images  d’empreintes  digitales  obtenues  lors  de  la  deuxieme  visite  ont  ete 
utilisees  pour  la  reconnaissance  (p.  ex. :  comme  images  de  sondage)  et  ont  ete  comparees  aux  donnees 
de  la  premiere  visite. 


En  plus  d’utiliser  I’algorithme  GenKey  pourtraiter  les  donnees,  IBG  a  precede  au  traitement  des  memes 
ensembles  de  donnees  d’empreintes  digitales  avec  un  algorithme  largement  adopte  base  sur  les 
empreintes  et  points  caracteristiques  Neuortechnology  VeriFinger,  version  6.3.  L’approche  de  traitement 
VeriFinger  e\a\\  equivalente  a  I’approche  GenKey  decrite  ci-dessous.  La  comparaison  et  le  contraste  des 
resultats  GenKey  et  des  resultats  V'e/'/F/nger  permettent  d’obtenir  un  cadre  general  de  reference  pour 
valider  la  viabilite  commerciale  de  la  technologie  des  des  d’identification  GenKey. 
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Visit  2 
Left  Index 
Sample  1 


Visit  2 
Left  Index 
Sample  1 


Visit  2 

Right  Index  - > 

Sample  1 


Visit  2  ^ 

Right  Index  - > 

Sample  2  '  ^ 


Left  Ihdex 

I  ip^ey  I 


Processus  de 
reconnaissance 


0010101001... 


Match  / 
No  Match 


0010101001... 


Left  Ihdex 


Match  / 
No  Match 


Right'lndex 

iJ^j 

! 


Transaction 

Decision 


0010101001... 


Match  / 
No  Match 


0010101001... 


Match  / 
No  Match 


Les  volumes  de  traitement  sont  illustres  ci-dessous. 


GenKey 

VeriFinger  6.N 

Sujets 

650 

650 

Comparaisons 

acceptables 

456 

459 

Comparaisons 

imposteurs 

550  976 

560  741 

Resultats  des  essais  GenKey 

En  se  fondant  sur  les  processus  de  collecte  et  de  comparaison  decrits  ci-dessus,  les  mesures  suivantes 
ont  ete  obtenues : 


Mesures  de  convivialite 

Mesures  de  precision 

•  Taux  d’echec  d’encodage 
(FTE) 

•  Taux  d’echec  d’acquisition 
(FTA) 

•  Temps  de  traitement 

•  T aux  de  fausse  correspondance 
(FMR) 

•  Taux  de  fausse  non- 
correspondance  (FNMR) 

•  Distribution  des  erreurs  par  sujets 

Echec  de 
i’enregistrement 

Tentatives  d’enregistrement 

Compte  FTE 

Taux  FTE 

VeriFinger  6.3 

2  448 

42 

1 ,72  % 

Cle  d’identification 

2  448 

45 

1 ,84  % 
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GenKey 

Echec  d’acquisition 

Tentatives  d’encodage  de 
reconnaissance 

Compte  FTA 

Taux  FTA 

VeriFinger  6.3 

1  841 

1 

0,05  % 

Cle  d’identification 
GenKey 

1  841 

66 

3,59  % 

Les  resultats  demontrent  que  les  taux  d’echec  d’encodage  (FTE)  de  GenKey  et  de  Verifinger  sont 
pratiquement  equivalents,  tandis  que  le  taux  d’echec  d’acquisition  (FTA)  de  GenKey  est  de  beaucoup 
superieur  a  celui  de  VeriFinger.  Cela  permet  de  mettre  en  evidence  le  concept  que  GenKey  utilise  des 
images  de  haute  qualite,  lesquelles  sont  validees  en  temps  reel  au  point  de  saisie. 


r - - - - - * - - - - - — - 

Two-Position  Matching  (Left  and  Right  Index) 


% 

2  l.OOE-02 

c 

O 

z 

0) 


—standard 

- 107-bit 

- 56-bit 

- 25-bit 

- 12-bit 

—Veri  Finger 


1jX)E-03 

l.CX)E-04 


1.00E-D3 


l.OOE-02 


False  Match  Rate 


l.OOE-01 


Une  evaluation  du  rendement  comparative  avec  un  ensemble  de  donnees  difficiles  demontre  la  viabilite 
des  technologies  ACDB  commerciales  utilisant  les  empreintes  digitales.  Le  rendement  des  technologies 
ACDB  est  tres  semblable  de  celui  d’un  coupleur  fonde  sur  les  points  caracteristiques  mis  a  I’essai  par 
NIST  et  largement  deploye. 

Pour  de  nombreux  systemes  biometriques,  certains  sujets  obtiennent  des  taux  de  fausses 
correspondances  plus  eleves  que  d’autres.  IBG  a  analyse  la  distribution  de  fausses  correspondences 
chez  les  sujets.  Les  taux  de  fausses  correspondances  specifiques  aux  sujets  (cumules  a  partir  de  tous 
les  types  et  de  toutes  les  tallies  de  de  d’identification  et  mesures  a  un  seuil  type  de  0,45)  se  situaient 
aussi  haut  que  4,04  %  et  aussi  bas  que  0,00  %.  Bien  que  les  taux  de  fausses  correspondances 
decroissent  generalement  lorsque  la  taille  des  des  augmente,  dans  certains  cas  les  sujets  ont  connu  des 
taux  de  fausses  correspondances  plus  eleves  avec  de  plus  grosses  des.  Par  example,  251  des  457 
sujets  ont  connu  des  taux  de  fausse  correspondance  plus  eleves  avec  des  des  d’identification  de 
56  octets  qu’avec  des  des  de  25  octets. 
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Conclusions 


Les  conclusions  suivantes  peuvent  etre  tiroes  de  la  presente  etude  : 

•  Les  aspects  du  rendement  de  la  reconnaissance  non-cooperative  de  I’iris,  y  compris  le  taux  eleve 
d’enregistrement  et  de  fausses  non-correspondances,  compliquent  son  utilisation  comme  technologie 
ACDB. 

•  La  saisie  de  reconnaissance  de  I’iris  controlee  ou  les  images  d’iris  de  haute  qualite  accroitront 
I’usage  de  I’iris  comme  technologie  ACDB. 

•  Une  evaluation  du  rendement  comparative  et  un  ensemble  de  donnees  difficiles  demontrent  la 
viabilite  des  technologies  ACDB  commerciales  utilisant  les  empreintes  digitales. 

•  Le  rendement  de  GenKey  est  tres  semblable  a  celui  d’un  coupleur  fonde  sur  les  points 
caracteristiques  mis  a  I’essai  par  NIST  et  largement  deploys. 

•  Les  personnes  chargees  de  la  mise  en  oeuvre  devraient  etudier  comment  incorporer  les  approches 
fondees  sur  les  cles  a  I’architecture  de  leurs  applications. 
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Background  and  Objectives 


This  document  is  the  Study  Report  for  PSTP  02-035 IBIO,  Biometric  Data  Safeguarding  Technologies  Analysis 
and  Best  Practices. 

Biometrics  is  one  of  two  approved  Communities  of  Practice  (CoPs)  under  Public  Security  Technical  Program’s 
(PSTP’s)  Surveillance,  Intelligence,  and  Interdiction  (SII)  Domain.  SII  encompasses  capabilities  that  allow  Canada 
to  monitor  the  security  environment,  understand  the  threats  to  national  security,  and  direct  an  effective  and 
proportionate  response  to  deter,  disrupt,  or  defeat  threats  to  Canada.  Biometrics  can  assist  these  efforts  by  using 
technology  to  capture  biometric  samples,  perform  feature  extraction  or  dataset  creation,  and  perform  one-to-one  or 
one-to-many  searches  to  identify  or  confirm  the  identity  of  individuals.  ^ 

One  of  the  main  goals  of  PSTP’s  Biometrics  CoP  is  to  evaluate,  analyze,  and  implement  biometric  technologies  that 
enhance  national  capabilities  in  access  control,  identity  verification,  and  e-Commerce  security  in  a  manner  that  is 
consistent  with  Canadian  laws  and  acts.  This  is  done  in  collaboration  with  the  appropriate  Government  of  Canada 
agencies  and  departments  responsible  for  national  security,  border  control  and  security,  and  law  enforcement  and 
immigration.  This  effort  will  also  be  leveraged  through  the  Memorandum  of  Understanding  (MOU)  that  establishes 
collaborative  science  and  technology  (S&T)  with  the  United  States  Department  of  Homeland  Security. 

The  rapid  progress  of  biometrics  technology  in  the  last  few  years  and  the  ease  with  which  biometrics  data  can  be 
acquired  has  resulted  in  the  accumulation  of  large  varying  databases  of  biometrics  information.  This  trend  will 
continue  in  the  future,  with  databases  growing  at  an  ever-increasing  rate.  The  purpose  of  the  Study  is  to  examine 
some  of  the  issues  surrounding  the  sharing  and  safeguarding  of  biometric  data  in  the  Canadian  Public  Security 
context  writ  large.  Throughout  the  study,  the  modality  focus  will  be  on  iris  biometrics  (prime  focus)  and  fingerprints 
(secondary). 

The  primary  objective  of  this  work  is  to  support  the  Biometrics  CoP  by  leading  scientific  studies  that  identify  and 
evaluate  biometric  technologies  with  respect  to  their  ability  to  be  used  securely  (in  terms  of  safeguarding  biometric 
databases).  These  new  biometric  technologies  and  associated  data  safeguarding  capabilities  must  be  consistent  with 
the  Government  of  Canada’s  dual  prosperity  and  security  mandates,  and  must  consider  legal,  ethical,  cultural,  and 
privacy  issues. 

Biometric  privacy  enhancing  technologies  (PETs)  are  among  the  most  promising  technologies  for  data  safeguarding. 
These  technologies  leverage  biometric  information  to  improve  and  ensure  personal  privacy  while  protecting 
sensitive  information  and  assets.  PETs  can  be  categorized  as  follows: 

•  Untraceable  Biometrics  -  defined  by  Dr.  Ann  Cavoukian,  Ontario  Privacy  Commissioner,  as  a  new  class  of 
emerging  privacy  enhancing  technologies  such  as  biometric  encryption 

•  Anonymous  Biometrics  -  a  system  where  biometric  data  are  not  connected  to  any  personal  data;  biometric  data 
can  be  taken  to  another  system  to  connect  with  personal  information 

•  Revocable  (^‘Private”)  Biometrics  -  allow  people  to  have  multiple  biometric  identities  using  the  same 
biometric  information;  identities  can  be  used  independently  or  anonymously 

Study  PSTP  02-035  IBIO  addresses  Biometric  Data  Safeguarding  Technologies  Analysis  and  Best  Practices  through 
the  following  tasks. 

•  Review  the  emergence  of  biometrics  for  defence  and  security  and  identify  the  issues  surrounding  data  sharing 
and  safeguarding 

•  Compare  and  contrast  biometric  technologies  for  biometric  data  safeguarding  that  are  currently  in  use  or 
planned  for  use  in  other  national  and  international  jurisdictions 

•  Evaluate  the  applicability  of  these  biometric  technologies  and  associated  data  safeguarding  constraints  in  terms 


^  http://www.css.drdc-rddc.qc.ca/pstp/proi-prop/call-appel/bionnetrics-bionnetrie/bionnetrics-bionnetriesOQ-enq.asp 
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of  supporting  cross-jurisdictional  public  security  environments 

•  Evaluate  state-of-the-art  biometric  technologies  and  their  vulnerabilities  in  terms  of  protecting  identity  and 
complying  with  federal  privacy  standards  and  policies 

•  Survey  and  evaluate  associated  issues  of  interoperability,  database  sharing,  and  format  sharing  internationally 
and  interdepartmentally,  and  identify  any  emerging  biometric  technologies  (e.g.,  multilevel  security  solutions) 
that  may  offer  potential  solutions 

•  Address  issues  of  cost,  Canadian  privacy  policy,  and  Technology  Readiness  Level  (TRL)  of  these  data 
safeguarding  technologies  or  procedures,  with  timeframe  projections  for  implementation 

The  Lead  Lederal  Department  for  the  Study  is  Canada  Border  Services  Agency  (CBSA).  Addition  partners  include 

the  following: 

•  Royal  Canadian  Mounted  Police 

•  Transport  Canada 

•  Defence  Research  and  Development  Canada  (DRDC)  -  Toronto 

•  Office  of  the  Information  and  Privacy  Commissioner  of  Ontario 

•  University  of  Toronto 

•  Indiana  University-Purdue  University  Indianapolis  (lUPUI) 

•  IBG-Canada  (Study  Report  author) 
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Biometric  Data  Safeguarding  in  Defence  and  Security  Applications 


Emergence  of  biometric  technology  in  defence  and  security  applications  has  resulted  in  the  creation  of  large-scale 
datasets  of  biometric  information  of  both  national  and  international  scale  and  presenting  a  new  set  of  challenges 
regarding  privacy  and  data  safeguarding  of  personally  identifiable  datasets.  Biometric  datasets  represent  very 
sensitive  personally  identifiable  information.  When  used  to  authenticate  a  subject’s  transactions,  they  could  be 
misused  to  track  the  subject’s  actions  and  movements.  In  the  case  of  fingerprints,  biometric  datasets  could  even  be 
used  to  falsely  incriminate  the  subject  in  a  physical  crime.  This  section  examines  the  types  of  biometric  technology 
prevailing  in  defence  and  security  applications  and  identifies  potential  threats  to  security  and  privacy  surrounding 
data  sharing  and  safeguarding  in  biometric-enabled  applications. 

2.1  Biometric  Technologies:  Operation,  Strengths,  and  Weaknesses 

Leading  biometric  technologies  for  defence  and  security  scenarios  include  fingerprint  recognition,  face  recognition, 
and  iris  recognition.  The  basic  operations,  strengths,  and  weaknesses  of  each  technology  are  discussed  below. 

2.1.1  Fingerprint 

Fingerprint  technology  utilizes  the  distinctive  features  to  identify  or  verify  the  identity  of  individuals.  Fingerprint 
recognition  is  the  most  commonly  deployed  biometric  technology,  used  in  a  broad  range  of  physical  and  logical 
access  applications.  Fingerprint  recognition  refers  to  use  in  either  1:1  verification  or  small-scale  identification 
against  hundreds  or  thousands  of  enrolled  records.  Large-scale  systems  that  match  millions  of  fingerprints  are 
referred  to  as  APIS  (automated  fingerprint  identification  systems).  APIS  implementations  are  much  more  complex 
than  1 : 1  fingerprint  implementations,  though  defence  and  security  applications  often  deploy  both  1 : 1  and  1  :N 
systems. 

Fingerprint  systems  are  comprised  of  image  acquisition  hardware,  image  processing  components,  template 
generation  and  matching  components,  and  storage  components.  These  components  can  be  located  within  a  single 
peripheral  or  standalone  device,  or  may  be  spread  between  a  peripheral  device,  a  local  PC,  and  a  central  server. 
High-level  strengths  and  weaknesses  are  shown  in  Figure  1. 


Fingerprint:  Strengths 

Fingerprint:  Weaknesses 

•  Proven  technology  capable  of  high  accuracy 

•  Performance  (accuracy,  throughput)  of  leading 
technologies  is  well-documented  and  understood 

•  Ability  to  enroll  multiple  fingers;  exceptionally  high 
accuracy  for  ten  print  collections 

•  Ergonomic,  easy-to-use  devices 

•  Fingerprint  data  is  almost  universally  interoperable, 
facilitating  searches  against  watchlists 

•  Performance  can  deteriorate  over  time 

•  Association  with  forensic  applications 

•  Users  can  intentionally  damage  fingerprints,  reducing 
performance 

•  Implementation  of  large-scale  systems  requires  highly 
specialized  expertise  for  performance  tuning  and 
optimization 

Figure  1:  Fingerprint  Strengths  and  Weaknesses 


The  five  stages  involved  in  fingerprint  verification  and  identification  are  image  acquisition,  image  processing, 
location  and  encoding  of  distinctive  characteristics,  template  creation,  and  template  matching. 

Fingerprint  systems  acquire  one  or  more  fingerprint  images  and  convert  images  to  digital  format.  Image  processing 
subroutines  eliminate  gray  areas  from  the  image  by  converting  the  fingerprint  image’s  gray  pixels  to  white  and 
normalizing  ridge  width  and  flow.  Fingerprint  recognition  systems  utilize  proprietary  algorithms  to  map  the  absolute 
and  relative  position  of  minutiae,  the  distinctive  points  found  in  fingerprint  ridges.  Large-scale  systems  also  use 
ridge  flow  information.  Algorithms  compare  template  data  from  one  or  more  fingerprints,  working  through 
permutations  of  minutiae  offsets  to  identify  and  score  similarities.  The  resulting  acceptance  or  rejection  of  the  user’s 
access  is  based  on  reaching  an  acceptable  level  of  correlation  between  the  two  templates.  A  correlation  threshold  is 
necessary  because  subtle  changes  in  fingerprint  placement  and  minutiae  recognition  mean  that  no  two  fingerprint 
templates  will  be  exactly  alike. 
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Positive  and  negative  error  rates,  as  well  as  enrollment  failure  rates,  are  low  for  most  fingerprint  devices  and 
systems,  assuming  that  multiple  fingerprints  are  acquired  on  enrollment.  A  small  percentage  of  users,  varying  by  the 
specific  technology  and  user  population,  are  unable  to  enroll  in  some  fingerprint  systems.  Furthermore,  certain 
demographic  groups  -  such  as  elderly  populations  and  manual  laborers  -  often  have  lower  quality  fingerprints  and 
are  more  difficult  to  enroll.  Although  the  fingerprint  is  a  stable  physiological  characteristic,  a  variety  of  factors  can 
cause  the  performance  of  some  fingerprint  recognition  technologies  to  worsen  drastically  over  time,  particularly 
when  a  limited  number  of  fingerprints  are  used  for  matching.  Although  high-quality  enrollment  improves  long-term 
performance,  users  who  work  with  their  hands  are  likely  to  see  increased  error  rates  over  time. 


Fingerprint  recognition  technology  includes  peripheral  devices,  imbedded  devices,  wall  mounted  devices,  and  large 
units  designed  for  heavy-duty  operation.  For  border  control  deployments,  the  primary  question  in  terms  of  device 
selection  is  whether  to  deploy  single-finger  readers  or  ten-print  devices  (see  Figure  2).  US- VISIT  was  initially 
deployed  with  single-finger  readers,  and  migrated  to  ten-print  devices  when  it  became  clear  that  more  than  two 
fingerprint  positions  would  be  necessary  to  maintain  acceptable  levels  of  accuracy  and  match  speed  for  that 

deployment’s  immense  transaction 
volume.  Single-finger  readers  are  suited 
for  deployments  in  which  no  more  than 
two  positions  (e.g.  left  and  right  index)  are 
acquired.  Increasingly,  agencies  are 
making  the  investment  in  ten-print  devices 
capable  of  acquiring  all  ten  finger 
positions  in  three  placements  (left  4,  right 
4,  and  thumbs).  The  collection  of  ten 
prints  not  only  reduces  collection  errors 
(e.g.  swapping  left  for  right),  but  it 
increases  the  scalability,  accuracy,  and  speed  of  fingerprint  matching  by  orders  of  magnitude  relative  to  1-  or  2- 
position  systems. 


Figure  2:  Single-Finger  and  Ten-print  Deviees 


Large-scale  defence  and  security  applications  deploy  AFIS  technology  in  their  identification  systems  around  the 
world  as  the  technology  is  a  proven,  central,  and  established  part  of  law  enforcement  and  security  check  processes. 
Although  biometrics  cannot  solve  the  problem  of  fraudulent  identity  documents  being  used  to  establish  an  identity, 
they  can  address  the  problem  of  duplicate  identities  creation.  Such  systems  will  provide  both  AFIS  and  I :  I 
functionality. 


2.1.2  Face  Recognition 

Face  recognition  technology  utilizes  distinctive  facial  features  to  verify  or  identify  individuals.  Face  recognition  is 
primarily  deployed  in  1  :N  applications,  though  improvements  in  system  and  workflow  design  (as  well  as  digital 
imaging)  have  increased  the  performance  of  face  recognition  in  1:1  applications.  Used  in  conjunction  with  ID  card 
systems,  booking  stations,  and  for  various  types  of  surveillance  operations,  face  recognition’s  most  successful 
implementations  take  place  in  environments  where  cameras  and  imaging  systems  are  already  present. 

Face  recognition  systems  can  range  from  software-only  solutions  that  process  images  acquired  through  existing 
cameras  (e.g.  still  or  CCTV)  to  full-fledged  acquisition  and  processing  systems  with  dedicated  cameras  and 
illuminators.  In  some  face  systems,  the  core  technology  is  optimized  to  work  with  specific  cameras  and  acquisition 
devices.  More  often,  the  core  technology  is  designed  to  enroll,  verify,  and  identify  face  images  acquired  through 
various  methods  such  as  static  photographs,  web  cameras  and  surveillance  cameras.  Face  recognition  systems  are 
not  often  integrated  into  1 : 1  physical  access  applications  and  are  more  likely  to  be  used  in  large-scale  identification 
or  surveillance.  High-level  strengths  and  weaknesses  are  shown  in  Figure  3. 


Face  Recognition:  Strengths 

Face  Recognition:  Weaknesses 

•  Does  not  require  user  training  or  effort 

•  Can  often  leverage  existing  image  datasets  and  existing 
photograph  proeesses 

•  Susceptible  to  high  false  non-match  rates  in  1 : 1  and  1  :N 
applications 

•  Changes  in  acquisition  environment  reduce  matching 

DRDC  CSS  CR  201 1-29 


•  Capable  of  identification  at  a  distance 

accuracy 

•  Capable  of  rapid  1  :N  identification  with  relatively  little 

•  Changes  in  physiological  characteristics  reduce  matching 

processing  power 

accuracy 

•  Performance  improves  hand-in-hand  with  camera  quality 
and  image  resolution 

•  Lighting,  camera  angle  reduce  matching  accuracy 

Figure  3:  Face  Recognition  Strengths  and  Weaknesses 


Face  recognition  technology  is  based  on  the  standard  biometric  sequence  of  image  acquisition,  image  processing, 
distinctive  characteristic  location,  template  creation,  and  matching.  Face  recognition  technology  can  acquire  faces 
from  almost  any  static  camera  or  video  system  that  generates  images  of  sufficient  quality  and  resolution.  Ideally, 
images  acquired  for  face  recognition  will  be  acquired  through  high-resolution  cameras,  with  users  directly  facing  the 
camera,  and  with  moderate  lighting  of  the  face. 

Face  images  are  normalized  to  overcome  variations  in  orientation  and  distance.  In  order  to  do  this,  basic 
characteristics  such  as  the  middle  of  the  eyes  are  located  and  used  as  a  frame  of  reference.  Once  the  eyes  are  located, 
the  face  image  can  be  rotated  clockwise  or  counter-clockwise  to  straighten  the  image  along  a  horizontal  axis.  The 
face  can  then  be  magnified,  if  necessary,  so  that  the  face  image  occupies  a  minimum  pixel  space.  Once  an  image  is 
standardized  according  to  the  vendor’s  requirements,  the  core  processes  of  distinctive  characteristic  location  can 
occur.  Features  most  often  utilized  in  face  recognition  systems  are  those  least  likely  to  change  significantly  over 
time:  upper  ridges  of  the  eye  sockets,  areas  around  the  cheekbones,  sides  of  the  mouth,  nose  shape,  and  the  position 
of  major  features  relative  to  each  other.  Face  recognition  is  not  as  effective  as  fingerprint  or  iris  recognition  in 
identifying  a  single  individual  from  a  large  dataset.  A  number  of  potential  matches  are  generally  returned  after  large- 
scale  face  recognition  identification  searches.  For  example,  a  system  may  be  configured  to  return  the  10  or  100  most 
likely  matches  on  a  search  of  a  Im-person  dataset.  A  human  operator  would  then  determine  whether  any  candidates 
are  legitimate  matches. 

Relative  to  fingerprint  and  iris  recognition,  face  recognition  systems  encounter  higher  false  non-match  rates  over 
time,  as  the  effects  of  aging  seem  to  impact  face  recognition  performance  to  a  greater  degree  than  fingerprint  or  iris 
recognition.  The  performance  gap  narrows  if  very  high-resolution  face  images  are  used  for  enrollment  and  matching. 
Assuming  that  face  images  are  acquired  from  a  fixed  distance  under  consistent  lighting  and  background  conditions, 
the  technology  is  substantially  more  accurate  than  is  perceived.  Simple  changes  in  user  appearance  can  to  have  an 
impact  on  systems’  ability  to  reliably  identify  enrolled  users.  Changes  in  hairstyle,  makeup,  or  facial  hair,  or 
addition  or  removal  of  eyeglasses,  can  cause  users  to  be  falsely  rejected.  Emerging  techniques,  such  as  3D 
reconstruction  and  modeling,  have  led  to  the  development  of  more  robust  algorithms  which  may  be  less  susceptible 
to  such  changes. 

In  an  effort  to  reduce  environmental  impact  on  accuracy,  deployers  and  practitioners  have  become  much  more 
cognizant  of  the  role  of  image  quality  in  face  recognition  accuracy.  When  face  recognition  systems  perform  poorly 
(e.g.  encounter  high  false  non-match  rates),  the  culprit  is  often  the  imaging  process  as  opposed  to  the  matching 
algorithm.  Deployers  now,  whenever  possible,  integrate  real-time  face  image  quality  validation  at  the  point  of 
capture.  By  enforcing  the  quality  of  input  images,  the  overall  accuracy  and  scalability  of  face  recognition  systems 
improves  substantially.  This  approach  also  brings  face  recognition  system  design  closer  to  that  of  fingerprint  and  iris 
systems,  both  of  which  implement  rigorous  control  on  input  image  quality. 
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2.1.3 


Iris  Recognition 


Iris  recognition  technology  encodes  and  matches  iris  patterns  to  identify  enrolled  users.  Iris  recognition  systems  are 
comprised  of  collection  devices  and  encoding  /  matching  engines.  Collection  devices  (see  Figure  4)  include 
advanced  imaging  and  optics  components  along  with  one  or  more  infrared  illuminators.  Images  may  be  encoded  and 
matched  on  the  device,  on  a  host  PC,  or  on  a  central  server. 


Iris  recognition  technology  requires  the  acquisition  of  a  high-resolution,  infrared-illuminated  image  to  effectively 
locate  and  encode  iris  data.  Iris  recognition  technology  is  imbedded  in  peripheral  cameras  no  larger  than  typical  web 
cams,  and  is  also  build  into  wall-mounted  and  kiosk-based  form  factors  for  access  control  and  identification 
applications.  The  latter  types  have  been  deployed  successfully  in  air  travel  applications,  and  are  generally  capable  of 
acquiring  higher-quality  iris  images  (and  therefore  providing  higher  degrees  of  accuracy). 

Once  the  iris  is  located  and  segmented,  a  grayscale  image  is  used  for  feature  extraction.  Characteristics  derived  from 
the  iris  include  the  orientation  and  spatial  frequency  of  furrows  and  striations.  Iris  recognition  is  recognized  for  (I) 
resistance  to  false  matching  regardless  of  dataset  size  and  (2)  rapid  searches  of  large  datasets.  Assuming  that 
thresholds  are  properly  implemented,  false  positive  matches  should  be  exceptionally  rare.  In  fact,  some  iris  systems 
are  implemented  such  that  all  matches  are  assumed  to  be  positive.  The  tradeoff  is  that  iris  systems  may  be  more 
prone  to  false  negatives  (in  which  an  enrolled  subject  is  falsely  not  identified)  than,  for  example,  fingerprint 
systems.  High-level  strengths  and  weaknesses  are  shown  in  Figure  5. 


Iris  Recognition:  Strengths 

Iris  Recognition:  Weaknesses 

•  Exceptionally  resistant  to  false  matching 

•  Default  operation  is  identification  mode 

•  High  stability  of  characteristic  over  lifetime 

•  Hands-free  operation 

•  Real-time  searches  against  large  datasets  (e.g.  10m  irises) 
are  possible  with  modest  CPU  loads 

•  Acquisition  of  iris  image  requires  more  training  and 
attentiveness  than  most  biometrics 

•  User  discomfort  with  eye-based  technology 

•  Glasses  can  impact  performance 

•  Propensity  for  false  non-matching  or  failure  to  capture 

Figure  5:  Iris  Recognition  Strengths  and  Weaknesses 


The  acquisition  process,  and  the  effort  required  on  the  part  of  the  user,  differs  from  device  type  to  device  type.  More 
so  than  in  many  biometric  systems,  users  must  be  cognizant  of  the  manner  in  which  they  interact  with  the  system: 
iris  acquisition  requires  fairly  precise  positioning  of  the  head  and  eyes.  Several  types  of  devices  are  used  in  iris 
recognition  applications,  some  of  which  are  better  suited  to  usage  in  border  applications  than  others.  Regardless  of 
the  acquisition  device,  individuals  are  required  to  position  themselves  at  a  specified  distance  from  the  camera; 
distances  range  from  a  few  inches  to  a  few  feet.  Certain  devices  may  prompt  the  user  with  verbal  instructions. 


2  http://www.aoptix.conn/bionnetrics/AOptixBionnetrics-DS6P.pdf 
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The  iris  recognition  market  has  undergone  a  radical  transformation  since  the  late  2000 ’s.  Up  to  that  point,  a  single 
vendor  dominated  the  market  for  matching  technology,  and  capture  devices  had  to  deliver  images  that  conformed  to 
this  vendor’s  requirements.  Since  then,  numerous  iris  recognition  algorithms  have  become  commercially  available; 
independent  testing  has  demonstrated  that  many  newer  algorithms  are  roughly  on  par  with  more  established 
algorithms  in  terms  of  speed  and  accuracy.  Further,  numerous  capture  devices  have  come  to  market  -  ranging  from 
low-end  peripherals  to  high-end  stand-off  devices  -  greatly  expanding  the  range  of  applications  for  iris  recognition 
technology.  Perhaps  most  importantly,  current-generation  iris  systems  collect  and  store  iris  images  as  opposed  to 
proprietary  templates.  Therefore  one  of  the  largest  impediments  to  iris  recognition  adoption  in  defence  and  security 
applications  -  that  of  reliance  on  proprietary  data  formats  -  is  a  non-issue  in  most  modem  iris  recognition  systems. 

2.1.4  Multiple  biometrics 

Multiple  biometric  solutions  involve  the  submission  of  more  than  one  biometric  characteristic  for  verification  or 
identification.  These  submissions  can  be  simultaneous  or  serial;  a  second  biometric  sample  may  be  required  if  a 
primary  biometric  is  rejected,  or  may  be  required  for  each  verification  or  identification.  Multiple  biometric  solutions 
can  be  designed  to  decrease  FTE  rates,  as  users  unable  to  enroll  in  one  biometric  technology  will  generally  be  able 
to  enroll  in  a  second  technology.  This  reduces  the  need  for  non-biometric  fallback  processing.  Multiple  biometrics 
can  be  used  to  increase  security  by  requiring  that  an  imposter  defeat  two  biometrics  to  be  verified;  they  can  also 
increase  convenience  by  allowing  an  individual  to  verify  on  a  secondary  biometric  if  the  first  biometric  fails. 

Using  multiple  biometrics  also  allows  for  the  introduction  of  sophisticated  decision  logic  when  verifying  or 
identifying  individuals.  Beyond  a  simple  yes/no  decision  in  which  an  individual  must  match  in  two  systems  in  order 
to  be  verified,  “fusion  systems”  can  be  implemented  in  which  a  near-match  in  one  system  allows  a  lower  score  in  a 
second  system  to  constitute  a  match.  Similarly,  a  very  low  score  in  one  biometric  system  may  require  a  very  high 
score  in  a  second  system  in  order  for  an  individual  to  be  declared  a  “match”.  By  combining  raw  scores  from  vendor 
technologies,  and  adjusting  thresholds  based  on  application-specific  requirements,  deployers  can  implement  more 
flexible  systems.  In  addition,  using  multiple  biometrics  during  enrollment  may  allow  for  more  rapid  and  more 
accurate  searches.  If  one  technology  is  used  as  a  gross  classifier,  such  that  a  technology  eliminates  60%  of 
individuals  in  a  dataset  in  a  rapid  1  :N  search,  then  a  more  robust  1  :N  technology  can  be  used  to  search  the  remaining 
40%  of  individuals  for  duplicates. 

Many  large-scale  civil  and  criminal  identification  systems  utilized  in  defence  and  security  applications  process 
multiple  biometric  facets  during  enrollment.  This  results  in  creation  of  biometric  profiles  for  large  numbers  of 
individuals  that  enable  future  functionality  through  different  technology  combinations.  Multimodal  biometric 
systems  can  mitigate  certain  performance  and  robustness  limitations  associated  with  single-modality  systems.  A 
multimodal  biometric  system  based  on  non-correlated  traits  is  expected  to  improve  matching  accuracy  and  to 
increase  protection  against  spoof  attacks. 

Civil  ID,  inclusive  of  passport,  national  ID,  and  entitlement  applications,  is  the  strongest  application  for  multiple 
biometric  systems.  The  use  of  multiple  biometrics  in  complex  programs  such  as  US  VISIT  and  registered  traveler,  as 
well  as  the  allowance  for  multiple  biometric  solutions  in  passport  applications,  underscore  the  viability  of  this 
approach.  Civil  ID  applications  are  mandatory  and  must  be  capable  of  operating  for  the  very  large  majority  of 
potential  users.  In  addition,  civil  ID  applications  may  have  a  large  number  of  enrollees,  such  that  multiple  biometric 
systems  may  be  necessary  to  provide  sufficient  accuracy  and  response  times.  Civil  ID  applications  may  need  to 
search  watchlists  with  fingerprint,  face,  and  even  iris  data,  providing  an  additional  rationale  for  acquiring  multiple 
biometrics  upon  registration. 

Access  control,  particularly  to  high-security  facilities  in  unattended  environments,  is  a  strong  environment  for 
multiple  biometric  solutions.  Such  applications  are  generally  unattended  and  must  be  capable  of  operating  for  an 
entire  population.  A  challenge  in  this  application  is  to  ensure  that  the  device  can  acquire  data  quickly  enough  to  not 
impede  throughput  unnecessarily.  Criminal  ID  applications  have  already  begun  to  migrate  to  multiple  biometrics 
systems,  using  face  recognition  in  conjunction  with  fingerprint. 

2.2  Biometric  Data  Sharing  and  Safeguarding  Considerations 

The  scale  and  complexity  of  biometric  samples  gathered  by  national  and  international  systems  are  increasing  and 
becoming  widespread.  The  current  maturity  level  of  biometrics  has  facilitated  the  use  of  biometrics  in  a  wide  range 
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of  government  applications,  while  much  work  remains  in  devising  acceptable  ways  of  controlling  the  use,  storage, 
and  exchange  of  biometric  data  and  personally  identifiable  information.  This  section  examines  risk  and  threat  areas 
associated  with  data  sharing,  and  presents  safeguarding  techniques  currently  ongoing  in  research  and  deployments. 

2.2.1  Privacy  Threats 

Privacy  threats  related  to  biometrics  have  been  discussed  extensively.  Major  privacy  risk  areas  are  described  as 
followed: 

•  The  ability  to  cross  match  data  subjects  across  different  services  or  applications  by  comparing  biometric 
templates. 

•  The  possibility  to  extract  sensitive  information  from  the  stored  biometric  data 

•  The  extension  of  application  scope  of  biometric  technology  outside  consent  of  the  owner 

The  first  threat  concerns  the  persistence  and  uniqueness  of  biometric  characteristics  that  allows  the  enrollee  to  be 
linked  between  different  datasets.  For  example,  an  attacker  could  link  different  financial  service  records  across 
different  banks’  datasets  to  one  specific  customer  to  illegally  obtain  the  customer’s  financial  condition  or  investment 
plan.  The  second  threat  concerns  linkage  between  one’s  biometric  data  with  other  personally  identifiable 
information,  such  as  subject’s  ethnic  background,  health  records,  or  visa  status.  Such  data  could  in  principle  be 
abused  by  healthcare  insurance  providers;  utilizing  biometric  templates  intended  for  patient  identification  in  a 
hospital  could  be  used  to  differentiate  in  insurance  premiums.  Similar  threats  could  occur  in  other  application  areas 
as  well. 

Other  privacy  risk  associated  with  biometrics  is  often  referred  to  as  function  creep.  If  the  application  scope  of 
biometric  technology  is  not  well  defined  and  restricted,  its  use  may  expand  to  other  applications  or  services.  For 
example,  an  application  initially  intended  to  prevent  misuse  of  municipal  services  may  gradually  be  extended  to 
rights  to  buy  property,  to  travel,  or  serve  in  armed  forces.  As  a  consequence,  data  subjects  that  would  agree  to  use 
biometrics  for  the  initial  application  would  be  forced  to  use  biometrics  for  other  applications. 

2.2.2  Security  Threats 

The  various  security  threats  associated  with  data  sharing  and  safeguarding  can  be  described  by  potential  attacks  on 
various  components  of  a  biometric  systems. 

Risks  during  biometric  data  capture 

The  most  prominent  security  threat  during  biometric  data  capture  is  enrollment  of  a  bogus  biometric  characteristic. 
Spoofing  attack  is  the  fabrication  and  presentation  of  a  fake  physical  biometric  characteristic  during  enrollment 
and/or  verification.  Some  biometric  characteristics  are  harder  to  forge,  such  as  the  iris,  while  others  are  easier  to 
forge,  such  as  face  or  fingerprint.  Since  biometric  information  cannot  be  regarded  as  secret,  the  original  biometric 
characteristic  can  be  obtained  with  or  without  the  permission  or  cooperation  of  the  data  subject.  The  sensor  spoofing 
attack  can  be  implemented  as  a  coercive  or  impersonation  attack.  A  coercive  attack  is  an  attack  where  the  authorized 
data  subject’s  biometric  data  is  presented  in  an  illegitimate  scenario.  An  impersonation  attack  involves  changing 
one’s  appearance  so  that  measured  biometric  data  matches  an  authorized  individual.  Impersonation  attacks  pose 
greater  risk  in  regards  to  data  security  and  safeguarding  through  tampering  with  the  integrity  of  the  biometric  dataset 
with  fake  samples  and  statistics.  In  addition,  an  attacker  can  steal  templates  from  a  dataset  and  construct  a  synthetic 
biometric  sample  that  passes  authentication.  Multiple  biometric  systems  reduce  the  exposure  to  an  impersonation 
attack  through  checking  for  consistency  between  different  modalities. 

Risks  during  data  storage 

Biometric  dataset  inherently  poses  various  security  threats  related  to  its  temperament.  Biometric  templates  and  data 
can  be  accessed  illegally,  or  could  be  replaced  or  changed.  In  addition,  biometric  dataset,  once  compromised, 
biometrics  cannot  be  updated  or  reissued  in  the  same  manner  as  passwords  or  ID  card.  The  unauthorized  access  or 
modification  of  biometric  data  may  not  only  lead  to  security  threats,  but  could  also  extend  to  threats  in  the  privacy 
domain,  such  as  cross  matching  of  different  biometric  datasets. 
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Risks  during  data  transmission 

Biometric  data,  scores,  and  decision  are  transferred  in  open  and  distributed  systems  between  various  agencies. 

Attacks  can  focus  on  changing  algorithms  or  exchange  protocols  of  the  system  by  means  of  a  Trojan  horse  attack.  In 

addition,  biometric  dataset  during  data  transmission  is  potentially  vulnerable  to  eavesdropping,  replay,  brute  force, 

and  man-in-the-middle  attacks^ . 

2.2.3  Privacy  Requirements 

Safeguarding  data  privacy  in  a  biometric  context  is  a  challenging  task.  These  requirements  must  be  followed  in 

order  to  establish  and  deploy  privacy-sympathetic  biometric  systems. 

•  Identity  Privacy:  Storage  of  biometric  templates  accompanied  by  other  identity  data  results  in  significant 
privacy  risks.  The  binding  between  biometric  and  other  identity  data  allows  malicious  persons  to  link  data 
subjects  to  applications  beyond  those  using  biometrics.  Therefore,  it  is  critical  that  the  binding  between 
biometric  and  other  identity  data  is  securely  protected 

•  Irreversibility:  To  prevent  the  use  of  biometric  data  for  any  other  purpose  than  originally  intended,  the 
biometric  data  should  be  transformed  in  such  a  way  that  the  biometric  sample  cannot  be  retrieved  from  the 
transformed  representation.  Such  transform  should  be  irreversible,  without  compromising  the  biometric 
verification  performance.  Irreversibility  should  hold  even  when  several  biometric  templates  are  accessible  from 
different  applications,  services,  or  datasets. 

•  Unlikability:  Tracking  and  tracing  subjects  across  applications  should  be  eliminated  by  ensuring  that  biometric 
templates  used  in  various  applications  are  unlikable.  This  guarantees  that  no  adversary  has  a  significant 
advantage  over  random  guessing  in  determining  whether  two  biometric  templates  are  related  or  not;  meaning 
that  they  were  generated  from  the  same  source. 

2.2.4  Security  Requirements 

•  Confidentiality:  Confidentiality  ensures  that  information  is  not  disclosed  to  unauthorized  entities.  In  a 
biometric  system,  biometric  data  is  stored  and  transmitted  between  various  subsystems.  Both  storage  and 
transmission  of  data  should  be  protected  against  eavesdropping,  unauthorized  disclosure  or  modification  of  the 
data.  This  requires  cryptographic  techniques  such  as  biometric  encryption,  or  symmetric  or  asymmetric  ciphers. 

•  Integrity:  Integrity  is  the  property  of  safeguarding  the  accuracy  and  completeness  of  assets  in  a  given  dataset.  If 
the  integrity  of  a  biometric  reference  or  the  result  of  the  various  processing  algorithms  and  subsystems  are 
untrustworthy,  the  verification  outcome  will  also  be  untrustworthy.  Therefore,  cryptographic  means  to  protect 
the  integrity  of  the  data,  such  as  signatures  or  authenticated  encryption  and  time  stamping,  are  required. 

•  Renewability  and  revocability:  A  strong  security  concern  for  biometric  system  relates  to  renewability  and 
revocability  of  biometric  templates.  Individuals  have  a  limited  number  of  irises  and  fingers;  identity  theft 
renders  corresponding  biometric  template  as  unusable  for  future  use.  Due  to  the  persistence  of  biometric 
characteristics,  a  biometric  template  that  is  compromised  once  is  compromised  forever.  The  risk  of 
compromised  biometric  templates  can  be  mitigated  for  certain  types  of  attacks  by  providing  methods  to  allow 
renewable  biometric  templates.  If  various  different  biometric  templates  can  be  extracted  from  the  same  or 
similar  biometric  characteristic,  the  biometric  template  can  be  revoked  and  renewed  in  case  it  has  become  the 
subject  of  identity  theft. 

2.2.5  Data  Safeguarding  Technique:  Biometric  Encryption 


^  Buhan,  I.  (2008)  Cryptographic  keys  from  noisy  data  -  Theory  and  applications. 

Breebaart,  J.;  Yang,  B.;  Buhan-Dulman,  I.  ;  Busch,  C.:  Biometric  Template  Protection.  The  need  for  open  standards, 
(Datenschutz  und  Datensicherheit)  2009 


DRDC  CSS  CR  201 1-29 


The  goal  of  data  safeguarding  is  to  mitigate  the  risks  of  malicious  errors  and  attacks  to  the  biometric  dataset. 

Meeting  the  privacy  and  security  requirements  in  a  biometric  system  is  a  complex  and  elaborate  task.  Data 
safeguarding  tools  related  to  biometric  data  transformations  have  been  published  in  the  literature.  These  solutions 
are  called  biometric  encryption  or  biometric  template  protection. 

Biometric  encryption  is  the  process  of  using  a  characteristic  of  the  body  as  a  method  to  code  or  scramble/descramble 
data.  Physical  characteristics  such  as  fingerprints,  retinas  and  irises,  palm  prints,  facial  structure,  and  voice 
recognition  are  just  some  of  the  many  methods  of  biometric  encryption  being  researched  today.  Since  these 
characteristics  are  unique  to  each  individual,  biometrics  is  seen  as  the  answer  to  combat  theft  and  fraud.  Reason  that 
this  new  technology  is  believed  to  be  superior  to  the  use  of  passwords  or  personal  identification  numbers  (PINs)  is 
that  a  biometric  trait  cannot  be  lost,  stolen,  or  recreated.  Encryption  is  a  mathematical  process  that  helps  to  disguise 
the  information  contained  in  messages  that  is  either  stored  or  transmitted  in  a  dataset.  There  are  three  main  factors 
that  determine  the  security  of  the  encryption  system:  the  complexity  of  the  algorithm,  the  length  of  the  encryption 
key  used  to  disguise  the  message,  and  safe  storage  of  the  key.  Biometric  encryption  makes  standard  character 
encryption  obsolete  by  replacing  or  supplementing  the  normal  key  characters  with  a  personal  identifier  of  the  user 
that  there  can  only  be  one  perfect  match  for.  Without  this  biometric  key  the  information  is  inaccessible. 

There  are  two  broad  categories  of  encryption  systems;  single  key,  or  symmetric,  systems  and  two  key,  or  public, 
systems.  Symmetric  systems  utilize  a  single  key  for  both  the  sender  and  receiver  for  the  purpose  of  coding  and 
decoding  data.  In  1972,  IBM  developed  DES  (Data  Encryption  Standard)  which  was  adopted  worldwide  by  1977  as 
the  most  common  single  key  system.  The  process  of  transmitting  this  type  of  key  over  such  networks  as  the  Internet 
is  one  of  the  major  failures  due  to  the  vulnerability  of  a  single  key  system  to  interception.  Data  transmission  may  be 
conducted  over  open  networks  instead  of  dedicated  networks  and  single  key  systems  do  not  offer  a  high  enough 
level  of  security  for  such  transmissions.  This  issue  of  security  led  to  the  development  of  public  key  system.  Two-key 
systems  use  a  public  key  to  encrypt  the  data  and  a  private  key  to  decrypt  the  data.  The  public  key  systems  allows 
better  encryption  than  single  key  systems,  however  certification  of  the  recipient  of  messages  becomes  an  issue, 
which  causes  a  hierarchy  of  certification  to  be  developed  resulting  in  a  much  slower  processing  time.  Biometrics  can 
aid  in  this  process  due  to  the  inherent  nature  of  using  a  physical  trait  of  the  desired  recipient  to  decipher  the 
message.^ 


^  http://www.ennory.edu/BUSINESS/et/bionnetric/Bionnetrics.htnn 
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Select  Biometric  Data  Safeguarding  Implementations 


The  rapid  advancement  of  biometric  technology  along  with  the  ease  with  which  biometrics  data  can  be  acquired  has 
resulted  in  the  accumulation  of  large  datasets  of  biometrics  information.  However,  reporting  of  best  practices  has 
been  minimal  in  regards  to  data  sharing  and  safeguarding.  This  section  provides  an  overview  of  biometric 
deployments  in  national  and  international  jurisdictions  with  an  assessment  framework  for  decision-making  on  the 
issues  surrounding  data  safeguarding.  Critical  areas  assessed  include  system  requirements,  risk  factors,  strengths  and 
weaknesses  of  the  deployed  data  safeguarding  technologies,  privacy  issues,  and  performance.  The  objective  is  to 
provide  deployers  and  decisions-makers  with  the  full  range  of  information  necessary  to  implement  secure  and 
interoperable  solutions  in  defence  and  security  applications. 

3.1  Biometric  Data  Safeguarding  Deployments  by  Application:  Border  Control 

Border  control  is  the  use  of  biometrics  to  identify  or  verify  the  identity  of  individuals  entering  or  leaving  a  border  at 
a  given  time.  The  biometrics  is  used  to  complement  authentication  mechanisms  such  as  passports  and  government- 
issued  visas.  Fingerprint  is  the  most  commonly  deployed  biometric  technology  in  border  control  solutions,  with  iris 
and  face  recognition  having  gained  much  ground  due  to  increased  need  for  security  in  the  recent  years.  Combination 
of  these  modalities  is  deployed  for  higher  accuracy  and  greater  flexibility. 

3.1.1  U.S.  Visitor  and  Immigration  Status  Indicatory  Technology  (US-VISIT) 

The  United  States  Visitor  and  Immigrant  Status  Indicator  Technology  (US-VISIT)  is  an  immigration  and  border 
management  system  operated  by  the  US  Department  of  Homeland  Security  (DHS).  The  purpose  of  the  program  is  to 
enhance  the  security  of  citizens  and  visitors,  facilitate  legitimate  travel  and  trade,  ensure  the  integrity  of  the  US 
immigration  system  and  protect  the  privacy  of  visitors.  Put  into  operation  on  January  5,  2004,  the  program  has  been 
implemented  across  all  major  ports  of  entry  within  the 
United  States  including  airports,  seaports,  land  ports  and 
US  Consulates  abroad.  As  one  of  the  first  full-scale 
mandatory  biometric  collection  programs,  US  VISIT 
represents  an  excellent  case  study  when  considering  the 
data  sharing  and  safeguarding  challenges  associated  with  a 
large-scale  data  management  system  servicing  multiple 
government  organizations. 

Biometric  data  is  collected  from  foreign  nationals  when 
they  apply  for  visas  at  US  consulates  in  their  respective 
countries  of  origin.  The  system  captures  ten  fingerprints 
and  a  face  image  of  every  enrollee.  Fingerprints  are  run 
against  national  datasets  including  the  DHS  Automated  Biometric  Identification  System  (IDENT)  as  well  as  the 
FBI’s  Integrated  Automated  Fingerprint  Identification  System  (lAFIS)  dataset  in  order  to  ensure  that  an  individual 
does  not  have  a  previous  criminal  record  and  is  not  on  a  watchlist.  Upon  arrival  to  the  US,  foreign  nationals  provide 
fingerprint  and  face  data  again  at  all  ports  of  entry  as  part  of  the  verification  process  (see  Figure  6)  to  insure  that 
each  individual  is  the  same  person  to  whom  the  initial  visa  was  issued.  The  last  implementation  phase  is  collection 
of  biometric  data  upon  exit.  DHS  completed  conducting  pilot  programs  at  12  airports  and  2  seaports  and  is 
implementing  new  biometric  exit  procedures  based  on  these  pilots  for  all  non-U.  S.  citizens  departing  the  United 
States  as  of  2010.  US-VISIT  is  accessed  by  30,000  users  from  federal,  state,  and  local  government  agencies. 

IDENT  is  the  primary  repository  of  biometric  information  held  by  DHS  in  connection  with  its  several  and  varied 
missions,  including  the  US-VISIT  initiative.  IDENT  is  centralized  and  contains  biometric,  biographic,  unique 
machine-generated  identifiers,  and  encounter-related  data  during  collection  by  federal,  state,  local,  and  international 
agencies.  Biometric  data  includes  fingerprints  and  photographs.  Biographical  data  includes  name,  date  of  birth, 
nationality,  and  other  personal  descriptive  data.  The  encounter  data  provides  the  context  of  the  interaction  with  an 
individual  including  location,  document  numbers,  and  reason  fingerprinted.  Unique  personal  identifier  is  a  new 


Figure  6:  US-VISIT  fingerprint  collection^ 


^  Image  extracted  from  U.S.  Customs  and  Border  Protection  photographic  archives 
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category  of  records  used  to  link  individuals  with  their  encounters,  biometrics,  and  other  data  elements.  IDENT 
generates,  stores,  and  retrieves  data  by  unique  number  or  sequence  of  numbers  and  characters  in  an  effort  to 
accurately  identify  and  account  for  individuals  upon  all  encounters  with  the  system.  The  US- VISIT  biometric  data 
are  currently  in  migration  to  conformance  with  ANSI/NIST-compliant  format,  specifically  to  extensible  markup 
language  (XML)  as  its  primary  data  exchange  method. 

The  dataset  is  protected  through  multi-layer  security  mechanisms  at  physical,  technical,  and  administrative  levels. 
DHS  facilities  are  limited  through  physical  access  control  measures,  confidentiality  of  communications  between 
agencies  are  ensured  through  authentication  of  sending  parties,  and  US- VISIT  data  are  accessed  only  by  personnel 
screened  through  background  investigations  commensurate  with  the  level  of  access  required  to  perform  the  duties. 

In  regards  to  data  retention  and  disposal,  the  biographic  and  biometric  data  collected  by  US- VISIT  for  which  the 
statute  of  limitations  has  expired  for  all  criminal  violations  or  older  than  75  years  are  purged.  Fingerprint  cards, 
which  are  created  for  the  purpose  of  entering  records  in  the  dataset,  are  destroyed  after  data  entry.  ^ 

The  US-VISIT  program  has  garnered  positive  results.  In  fiscal  year  2007,  a  total  of  46,298,869  entries  were 
recorded  at  air  and  sea  ports.  235,857,  or  0.5%  of  these  entries,  were  identified  as  possible  overstays  due  to  no 
departure  record.  The  manual  vetting  system  led  to  273  U.S.  Immigration  and  Customs  Enforcement  arrests,  and 
1 1,685  biometric  watch-lists  were  recorded  at  the  port  of  entries,  which  included  individuals  with  criminal  histories. 
United  States  Citizenship  and  Immigration  Services  also  utilized  the  system  to  screen  those  who  apply  for 
immigration  benefits,  creating  31,324  hits.^ 

3.1.2  EURODAC 

EUROD  AC  -  European  Dactyloscopie  -  is  a  multi-national  fingerprint  dataset  for  identifying  asylum  seekers  and 
anomalous  border-crossers.  Its  participants  include  all  EU  Member  States  in  addition  to  Norway,  Iceland,  and 
Switzerland.  The  dataset  was  constructed  in  an  effort  to  reduce  asylum-seekers  attempting  to  process  simultaneous 
claims  for  asylum  in  more  than  one  EU  country  (referred  to  as  “asylum  shopping”).  It  consists  of  a  centralized  AFIS 
system  located  in  Luxembourg  that  enrolls  the  fingerprints  of  first-time  asylum  seekers.  The  enrolled  fingerprints 
are  then  checked  against  existing  records  in  the  dataset  to  identify  multiple  asylum  applications.  Information  stored 
on  the  EURODAC  dataset  includes  the  asylum  seekers’  fingerprints,  date  of  submission,  and  country  of  first  entry;  it 
does  not  store  names  or  photographs.  Additionally,  to  ensure  the  protection  and  interoperability  of  transmitted  data, 
the  EU-wide  system  required  the  building  of  a  secure  network  to  transmit  data  between  the  Central  Unit  and  the 
Member  States.  Additionally,  the  information  is  encoded  and  processed  into  ANSI/NIST-compliant  format. 

Privacy  concerns  and  protection  of  traveler  information  has  influenced  the  development  and  data  usage  requirements 
of  the  EURODAC  dataset.  The  EURODAC  dataset  only  associates  asylum  seekers’  fingerprints  to  their  date  of 
submission,  country  of  first  entry,  and  not  their  actual  names  or  face  images.  This  process  helps  to  only  identify 
those  individuals  attempting  to  process  simultaneous  claims,  and  can  limit  the  use  of  stored  information  for 
secondary  purposes.  The  European  Commission,  however,  proposed  in  July  2009  to  allow  Member  States’  law 
enforcement  authorities  and  Europol  access  to  the  EURODAC  dataset  to  help  investigations  into  terrorism  and  other 
serious  crimes.  The  proposal  has  been  met  with  criticisms  by  privacy  advocates  who  question  its  legitimacy  and 
necessity.  Additionally,  the  European  Data  Protection  Supervisor  (EDPS)  argues  that  the  proper  balance  between  the 
need  for  public  safety  and  the  right  to  privacy  and  data  protection  must  be  met. 


3.1.3  Biometrics  Identification  System  (J-BIS)  (Japan) 


^  http://www.dhs.gov/files/progranns/gc1 1800209231 82. shtm 
®  Figures  extracted  from:  http://www.cis.org/vaughan/USVISITNumbers 
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Japan  Biometrics  Identification  System  (J-BIS)  is  an  automated  identification  and  clearance  system.  It  was  designed 
to  identify  and  clear  incoming  visitors  to  Japan  using  fingerprint  and  face  recognition  technology  (see  Figure  7).  The 
system  came  online  in  November  2007,  paralleled  with  the  announcement  that  all  foreign  visitors  to  Japan, 
including  foreign  nationals  with  permanent  residency,  are  required  to  be  fingerprinted  for  identification  purposes 
upon  arrival  at  entry  points  such  as  airports  and  seaports.  Fingerprint  data  is  captured  and  searched  against  a  national 
watchlist  dataset  for  any  historical  criminal 
activity. 

The  watchlist  dataset  stores  a  mixture  of  from 
one  to  ten  rolled  or  plain  fingerprints  who  are 
also  of  varying  print  qualities.  The  identification 
system  supports  50  concurrent  transactions  with 
a  maximum  10  seconds  response  time.  J-BIS 
system  adheres  to  the  NIST’s  Wavelet  Scalar 
Quantization  (WSQ)  Gray-Scale  Fingerprint 
Compression  Specification  for  data  exchange. 

While  a  search  using  biographic  information 
such  as  name  and  passport  number  can  be  used 
to  retrieve  information  from  the  dataset,  the 
immigration  officers  are  solely  responsible  for 
visually  verifying  the  biographic  search  results 
against  the  biometric  data  at  various  points  of 
entry. 
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3.1.4  The  Five  Country  Conference 
(FCC)  Protocol 


Figure  7:  Japan  J-BIS  system 


In  August  2009,  the  United  Kingdom’s  Border  Agency  (UKBA)  announced  its  agreement  to  share  fingerprint 
information  with  the  governments  of  Canada,  Australia,  New  Zealand,  and  United  States  in  an  effort  to  combat 
against  identity  fraud.  In  addition  to  UKBA,  the  other  immigration  authorities  involved  international  data  exchange 
are  the  Department  of  Immigration  and  Citizenship  (DIAC)  in  Australia,  Citizenship  and  Immigration  Canada  (CIC) 
and  the  Canada  Borer  Services  Agency  (CBSA),  the  DHS  in  the  United  States  of  America,  and  Immigration  New 
Zealand  (INZ).  The  Under  the  data  sharing  agreement,  the  UK  would  be  able  to  swap  fingerprint  information  on 
foreign  criminals  and  asylum  seekers  with  other  countries’  respective  fingerprint  datasets,  which  are: 


•  The  Immigration  and  Asylum  Fingerprint  System  (lAFS)  of  UKBA 

•  The  Biometric  Acquisition  and  Matching  System  (BAMS)  in  Australia 

•  The  Automated  Fingerprint  Identification  System  (AFIS)  in  Canada 

•  The  IDENT  System  in  the  USA 

•  The  Immigration  Biometric  System  (IBS)  of  New  Zealand 

This  provides  officials  the  opportunity  to  identify  and  flag  travelers  attempting  to  evade  identification  from 
international  and  local  authorities.  Forum  members  of  the  Five  Country  Conference  (FCC),  who  engage  in  ongoing 
strategic  initiatives  on  immigration  controls  and  border  security,  are  responsible  the  development  of  this  agreement. 
For  the  first  year  of  the  plan,  each  participating  country  was  required  to  share  3,000  sets  of  fingerprints  with  the 
other  partnering  countries,  with  fingerprint  sets  increasing  as  the  roll  out  progresses. 

All  of  the  data  exchanged  will  be  conducted  under  Secure  File  Share  Server  (SFSS)  hosted  by  the  government  of 
Australia.  The  data  exchange  happens  in  two  stages.  In  the  first  stage,  anonymized  fingerprints  with  a  unique 
reference  number  will  be  transferred  for  the  purpose  of  searching  against  other  countries’  fingerprint  datasets.  The 
second  stage  of  data  sharing  will  take  place  only  in  the  instance  of  a  fingerprint  ‘match’  being  identified,  which 


^  Image  extracted  from:  http://biometrics.org/bc2008/presentations/150.pdf 
http://www.ukba.homeoffice.gov.uk/sitecontent/documents/aboutus/workingwithus/high-value-data-sharing- 
protocol/pia.pdf?view=Binary 
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transfers  biographical  and  other  relevant  data  between  the  country  that  supplied  the  fingerprints  and  the  country  that 
identified  a  fingerprint  match.  The  unique  reference  number  is  assigned  to  create  a  search  code  for  the  second  stage 
of  data  sharing  in  case  a  fingerprint  match  occurs,  from  which  the  code  enables  the  country  to  ascertain  what  data 
will  be  relevant  to  transfer  in  respect  of  that  person.  The  data  element  that  will  be  shared  upon  matching  are  as 
followed: 

•  Date,  location,  and  reason  fingerprinted 

•  Last  name,  first  name,  any  other  names 

•  Date  of  birth,  place  of  birth,  nationality,  and  gender 

•  Travel  document  number 

•  Photograph,  facial  image,  and/or  scan  of  the  travel  document  biodata  page 

Fingerprints  exchanged  under  the  Protocol  will  be  destroyed  securely  once  the  matching  has  taken  place,  whether  or 
not  a  match  is  achieved.  On  cases  where  fingerprints  are  found  to  match,  the  countries  will  exchange  such  other 
information  as  relevant,  proportionate,  and  lawful  to  exchange  for  their  immigration  and  nationality  purpose. 

3.2  Biometric  Data  Safeguarding  Deployments  by  Application:  Civil  ID 

Civil  ID  is  the  use  of  biometrics  to  identify  or  verify  the  identity  of  individuals  in  their  interaction  with  government 
agencies  for  the  purpose  of  card  issuance,  voting,  immigration  or  employment  background  checks.  Common  civil  ID 
applications  include  voter  registration,  national  ID  and  biometric  passports.  Biometrics  is  used  to  complement  or 
replace  authentication  methods  such  as  document  provision,  signature  recognition,  and  manual  photograph 
inspection.  APIS,  face  recognition  and  fingerprint  are  three  most  deployed  biometric  technologies  in  civil  ID 
applications,  with  iris  recognition  slowly  gaining  market  share.  Civil  ID  applications  require  systems  capable  of 
performing  large-scale  1  :N  identification,  with  APIS  providing  the  accuracy  and  scalability  when  combined  with 
other  biometric  modalities. 

3.2.1  Gambia  Biometric  identification  System  (GAMBIS) 

The  Gambia  Biometric  Identity  System  (GAMBIS) project  is  an  integrated  biometric  identity  system  through 
which  the  government  of  Gambia  captures  biometric  details  for  all  citizens  and  aliens  in  the  country.  The  Biometric 
Identity  Card  of  the  Gambia  Immigration  Department  was  launched  on  18  August  2009,  replacing  its  previous 
national  identity  card  in  circulation.  Biometric  data  used  by  GAMBIS  is  thumbprint  based,  and  applicants  are 
required  to  submit  both  thumbprints  at  the  time  of 
enrollment.  Additionally,  card  issuance  requires  citizens  to 
present  their  birth  certificate,  Gambian  passport,  and 
certificate  of  registration,  voter’s  card,  Seyfo  certificate, 
village  Alkalo’s  certificate  or  certificate  of  naturalization. 

An  individual’s  data,  including  their  biographic  and 
biometric  information  is  matched  and  captured  in  the 
national  dataset.  A  National  Identification  Number  (NIN),  unique  to  each  applicant’s  fingerprint,  is  issued  in 
conjunction.  As  the  country’s  next  generation  identification  card,  it  enables  its  citizens  and  residents  to  confirm  their 
identity  based  on  their  fingerprint  and/or  face  data.  Biometric  documents  issued  for  Gambia  include  national  identity 
cards,  residential  permits,  non-Gambian  ID  cards,  and  driver’s  license. 

The  GAMBIS  project  is  one  of  the  first  biometric  identity  systems  to  issue  multiple  biometric  identity  documents, 
such  as  identity  cards,  passports,  driver’s  license,  visas,  under  one  platform  by  combining  all  these  documents  in  a 
national  population  dataset.  The  project  and  data  enrollment  operates  out  of  eight  GAMBIS  branches  and  four 
mobile  units.  As  of  March  2010,  near  70,000  National  IDs,  7,000  Residential  Permits,  20,000  National  Driving 
Licenses  have  been  issued  through  the  GAMBIS  project. 

3.2.2  The  Bangladesh  Voter  Registration  Project 


GAMBIS 


^  The  Gambia  Biometric  Identification  System 


http://www.gannbis.gnn/ 

http://www.gannbis.gnn/news.htnnl 
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The  Bangladesh  Election  Commission  (BEC),  in  partnership  with  the  Bangladesh  army,  established  the  Bangladesh 
Voter  Registration  Project  to  digitally  register  all  legal  voters  in  the  country  in  advance  of  general  elections  in 
December  2008.  The  biometric  registration  of  voter  included  collection  of  fingerprint  and  facial  records.  By  the 
project’s  completion  in  October  2008,  the  project  resulted  in  a  dataset  of  80  million  registered  voters  using  face  and 
fingerprint  technology,  creating  the  world’s  currently  largest  biometric  dataset.  A  portion  of  enrolled  population  was 
illiterate  and/or  had  no  previous  identification  documents.  The  project  completion  included  the  following  eleven 
stages:  Form  distribution  and  data  collection,  data  verification,  data  entry,  data  export  to  server,  proof  reading  and 
editing,  verification  of  proof  voter  list  and  handing  over,  ID  card  preparation,  ID  card  distribution,  correcting 
mistakes  on  ID  cards,  preparation  of  draft  voter  list  and  distribution,  and  data  safeguarding  and  distribution.  The 
system  includes  an  integrated  large  scale  APIS  and  multiple  biometrics  face-fingerprint  recognition  system 
developed  jointly  by  TigerIT  Bangladesh  Ltd  and  DohaTech.  The  resulting  ID  cards  include  a  barcode  encoded  with 
ISO  fingerprint  templates  and  PKI  digital  hash  printed  on  each  card  including  name,  gender,  birth  date,  picture, 
signature,  and  fingerprint  images. 

The  national  identity  dataset  of  Bangladesh  contains  the  biometric  and  personal  data  of  more  than  80  million  people, 
which  raises  privacy  and  security  concerns.  In  January  2010,  the  National  Identity  Registration  Bill  2010  was 
passed,  which  authorized  BEC  to  become  the  custodian  of  this  national  dataset  with  power  to  inquire  for  any 
individual  or  institution  for  personal  data.  Notably,  the  law  does  not  provide  any  clause  for  protecting  the  privacy  of 
personal  information,  which  enumerates  the  lack  of  privacy  laws  in  Bangladesh  today. 

3.2.3  National  ID  Card  (Thailand) 

In  April  2005,  the  Thai  government  contracted  Precise  Biometrics  for  a  National  ID  card  solution.  Precise's  Match- 
on-card  technology  was  chosen  and  integrated  by  Smart  Card  System  International  Co.  Ltd.  The  smart  ID  cards 
include  digital  fingerprint  information  thereby  physically  tying  the  card  to  a  specific  individual.  The  matching  of  the 
fingerprint  takes  place  inside  the  card,  not  in  the  reader.  The  initial  deployment  included  the  supply  of  12  million 
cards  and  36,000  fingerprint  readers,  and  was  expanded  in  2006  to  include  64  million  citizens.  As  of  January  2007, 
10  million  ID  cards  were  in  use  by  Thai  citizens.  In  addition  to  the  traditional  usage,  the  ID  cards  will  be  used  in 
different  contexts,  such  as  in  education  and  government  ID  cards. 

The  establishment  of  Thai  national  identity  dataset  raises  both  privacy  and  security  concerns  regarding  data  sharing 
and  safeguarding  methods.  By  the  project’s  completion,  Thailand’s  national  ID  dataset  will  grow  in  similar  scale  to 
the  dataset  of  Bangladesh.  In  addition  to  the  fingerprint  information,  the  dataset  ties  the  biometric  information  with 
the  individual’s  other  personal  data  such  as  the  Population  Identification  Code,  a  1 3 -digit  string  of  numbers  assigned 
at  birth  or  upon  receiving  the  citizenship.  With  the  increased  adoption  of  biometric  technology  in  national  ID  and 
biometric  passport  applications  across  the  globe,  the  need  for  adoption  of  standardized  of  data  security  and  exchange 
methods  has  become  a  pressing  concern. 
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3.3  Biometric  Data  Safeguarding  Deployments  by  Application:  Criminal  ID 


Criminal  ID  is  the  use  of  biometric  technologies  to  identify  or  verify  the  identity  of  a  suspect,  detainee,  or  individual 
in  a  law  enforcement  application.  Criminal  ID  systems  often  include  a  large-scale  biometric  dataset.  Typical 
criminal  ID  applications  include  executing  fingerprint  searches  against  local,  state  and  national  datasets  as  well  as 
processing  face  images  in  the  form  of  mug  shots  against  datasets.  APIS  is  the  dominant  biometric  technology  in  this 
space,  followed  by  face  recognition  and  fingerprint. 

3.3.1  Multilingual  Automated  Registration  System  (MARS)  (United  States) 

The  Multilingual  Automated  Registration  System  (MARS)  provides  similar  capabilities  as  that  of  the  Biometrics 
Automated  Toolset  (BAT)  with  the  addition  of  flexible  multilingual  user  interfaces;  the  added  user  interface  with 
additional  languages  is  intended  to  aid  in  the  transition  process  as  U.S.  forces  implement  the  application  locally  to 

Iraqi  officials  and  military.  As  a  user  identification 
application,  MARS  provides  fingerprint,  face,  and  iris 
enrollment  and  identification  capabilities  along  with  digital 
entry  of  data  and  related  identity  information.  The 
application  is  also  designed  to  be  compliant  with  FBI  and 
Department  of  Defence  (DoD)  biometric  enrollment 
criteria  to  better  ensure  interoperability  of  biometric  data. 

As  illustrated  in  Figure  8,  a  number  of  biometric  capture 
devices  are  attached  to  a  single  laptop  to  allow  operators  to 
capture  multiple  biometrics  from  detainees.  A  COTS 
digital  camera  is  utilized  to  capture  multiple  headshots  and 
face  shots  from  each  detainee  for  face  recognition;  typical 
face  captures  include  front  image,  left  and  right  side  90  degree  side  profile,  and  left  and  ride  45  degree  side  profile. 

In  addition,  the  system  collects  the  individual’s  fingerprint,  thumbprint,  and  iris  images. 

One  of  the  first  deployments  of  the  MARS  registration  system  was  established  in  March  2009  at  the  Rusafa  Prison, 
Baghdad  and  operated  independently  by  Iraqi  officials.  The  solution  included  a  complete  end-to-end  architecture 
that  allowed  for  multimodal  biometric  identification  and  enrollment  of  detainees.  At  the  designated  prison  facility, 
the  solution  was  able  to  enroll  a  population  of  over  25,000  detainees  even  when  operating  continuously  over  an 
extended  period  of  time. 

The  solution  was  also  designed  to  access  external,  centralized  datasets  to  obtain  real-time  information  about 
detainees  and  facilities.  MARS  creates  Electronic  Biometric  Transmission  Specification  (EBTS)  files  to  be  shared 
with  the  DoD  authoritative  biometric  repository,  the  DoD  Automated  Biometric  Identification  System  (ABIS). 

These  files  can  subsequently  be  shared  through  the  DoD  ABIS  with  interagency  partner  systems  such  as  the  Federal 
Bureau  of  Investigation  (FBI)  Integrated  Automated  Fingerprint  Identification  System  (lAFIS)  enabling  effective 
global  identity  management.  In  addition,  the  system  features  the  capability  to  create  Biometric  Data  files  (BDF)  for 
storage  and  exchange  of  biometric  and  demographic  data.  The  file  permits  creation  of  digital  dossiers  within  the 
enterprise  linking  identities  and  situational  information.  MARS  features  a  scalable  client-server  architecture  from 
which  the  Detention  Management  System  (DMS),  a  web-based  detention  and  prison  management  system,  exchanges 
information.  MARS  serves  as  the  enrollment  point  for  detainees  and  manages  their  detained  status,  while  DMS 
connects  to  MARS  or  BAT  to  update  its  knowledge  of  persons  in  the  system.  The  system  provides  real-time  data 
exchange  about  detainees  and  facilities  is  available  for  management  purposes  from  one  central  location  using  DMS 
Portal,  a  web-based  portal  providing  detention  and  prison  oversight  capability. 


Figure  8:  MARS  Work  Station  at  the  Rusafa  Prison 
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3.4  Biometric  Data  Safeguarding  Deployments  by  Applications:  Surveillance 


Surveillance  is  the  use  of  biometric  technologies  to  identify  individuals  present  in  a  given  space  or  area.  Biometrics 
is  used  to  complement  or  replace  authentication  methods  such  as  manual  monitoring  of  cameras.  Surveillance 
applications  scan  crowds  and  open  spaces,  capturing  faces  in  a  field  of  view  from  a  variety  of  angles  without  the 
end-user  knowingly  interacting  with  a  camera.  Surveillance  applications  are  classified  by  covert  operations  and  its 
real-time  1:N  functionality.  Face  recognition  is  the  only  technology  used  in  surveillance  due  to  its  ability  to  acquire 
non-cooperative  subjects  from  a  distance  and  the  existence  of  facial  watchlist  datasets. 

3.4.1  New  Delhi  Railway  Station  Face  Recognition  Surveillance  (India) 

In  January  2005,  the  New  Delhi  Police  initiated  a  facial  recognition  surveillance  pilot  program  at  the  New  Delhi 
Railway  Station  (see  Figure  9).  The  system,  similar  to  those  deployed  in  Dubai  and  Singapore,  includes  cameras  and 
searchlights  installed  at  the  entry  and  exit  points  of  the  station.  The  system  processes  each  person  as  they  enter  and 
exit  the  station  and  runs  the  picture  against  a  criminal  dataset  of  most-wanted  criminals.  If  a  matching  record  is 
found,  the  cameras  begin  recording. 

The  facial  recognition  system  is  connected  to  a  control 
room  set  up  at  the  station  where  two  computers — the 
recorder  and  server — will  process  the  pictures  for  a 
scan  against  the  watchlist  dataset  in  the  server.  The 
server  is  equipped  with  software  containing  the 
photographs  of  most-wanted  criminals  and  it  flashes  a 
signal  if  the  system  finds  a  match  in  the  records.  The 
surveillance  system  can  analyze  20  photographs 
simultaneously.  The  frequency  of  synchronization 
with  the  national  criminal  dataset  is  unknown.  The 
system  has  been  installed  to  increase  traveler  security 
and  to  also  reduce  surveillance  camera  film  costs,  as 
the  cameras  only  begin  recording  when  there  is  an 
observed  threat. 

3.4.2  Community  Protection  Face  Recognition  System  (United  Arab  Emirates) 

Community  Protection  Face  Recognition  System  is  a  part  of  United  Arab  Emirates  (UAE)  Ministry  of  Interior's 
Community  Protection  initiative,  which  aims  to  implement  a  comprehensive  national  critical  infrastructure 
protection  system.  One  part  of  that  system  that  is  currently  in  place  is  a  biometric  watchlist  based  on  iris  recognition, 
called  the  Iris  Expellee  Tracking  System  (lETS)  used  to  prevent  illegal  entry  at  UAE  ports  and  to  recognize  wanted 
criminals.  The  face  recognition  system  complements  the  more  narrowly  focused  iris  system  to  perform  identification 
checks  of  entrance  and  people  in  transit  lounges.  The  system  features  real-time  facial  capture  and  enhancement 
technology  and  automated  identity  searches  upon  matching  against  criminal  records.  Its  advanced  detection 
technology  instantly  locates  key  facial  characteristics  during  enrollment  process  for  immediate  analysis.  Plans  are  in 
place  for  the  system  to  be  integrated  into  the  passport  control  system  of  the  Dubai  Naturalization  and  Residency 
Department. 

The  underlying  biometric  technology  selected  for  the  face  recognition  system  is  to  be  provided  by  CryptoMetrics, 
Inc.,  a  global  biometric  technology  vendor.  CryptoMetrics  and  the  Ministry  of  Interior  have  entered  into  a  25-year 
exclusive  partnership,  along  with  BioDentity  Systems  EEC,  to  deploy  face  recognition  systems  in  UAE.  Face 
recognition  enrollment  images  will  be  in  compliance  with  standards  of  the  International  Civil  Aviation  Organization 
(ICAO).  The  system  has  been  deployed  at  Abu  Dhabi  International  Airport  since  July  2008.  As  of  November  2008, 
four  units  were  soon  to  be  introduced  at  Dubai  International  Airport.  Two  more  are  planned  for  the  exterior  of  the 
airport  in  Dubai,  and  there  are  plans  to  expand  the  system  to  all  UAE  ports  of  entry,  including  the  Fujairah  and  Ras 
al-Khaimah  airports.  The  plan  is  to  have  four  face  recognition  sites  at  important  ports  of  entry. 

The  system  allows  critical  identification  checks  to  be  performed  from  a  distance  without  a  person’s  active 
participation.  The  system  also  helps  inspectors  at  control  points  inside  the  airports  to  facilitate  the  clearance  of 
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persons  without  inconvenience  or  delay  to  the  passengers  while  implementing  continuous  and  proactive  checks 
designed  to  immediately  detect  persons  who  should  be  denied  entry  or  detained. 

3.5  Data  Safeguarding  in  Canadian  Security  Deployments 

New  biometric  technologies  and  its  associated  data  safeguarding  capabilities  must  consider  existing  programs  and 
data  sharing  and  safeguarding  protocols  currently  in  place.  This  section  provides  an  overview  of  current  Canadian 
biometric  deployments  in  security  applications  and  assesses  the  effectiveness  of  information  exchange  and  biometric 
dataset  safeguarding  practices  in  existing  applications. 

3.5.1  CANPASS 

CANPASS  (Canadian  Passenger  Accelerated  Service  System)  is  a  joint  initiative  of  the  Canada  Border  Services 
Agency  (CBS A)  and  Citizenship  and  Immigration  Canada  (CIC)  designed  to  streamline  customs  and  immigration 
clearance  into  Canada  for  pre-approved,  low-risk  frequent  travelers.  The  program  was  initiated  in  November  2004  to 
serve  airline  passengers,  but  has  since  expanded  to  include  both  air  and  marine  travel.  Pre-approved  travelers  with 
CANPASS  provide  their  iris  images  to  confirm  their  identities  against  an  issued  identification  card  used  at  self- 

service  kiosks  located  within  international 
airports  (see  Figure  10).  Participating  Canadian 
airports  include  the  Calgary  International  Airport, 
Edmonton  International  Airport,  Halifax 
International  Airport  and  the  Vancouver 
International  Airport.  The  CANPASS  program 
consists  of  a  variety  of  iterations  customized  for 
specialized  border  crossing  scenarios,  including 
via  corporate  aircraft,  private  aircraft,  private 
boats,  and  in  remote  areas.  There  are  currently 
almost  4,800  approved  CANPASS  travelers. 

Once  an  applicant  has  completed  and  signed  the 
CANPASS  application  form,  the  CBSA  is 
authorized  to  collect  personal  information  such  as 
name,  date  of  birth,  address,  citizenship,  proof  of 

The  information  will  be  used  for  background  security  checks  and  is  not  shared  with  a  third  party.  All  information  is 
stored  in  a  secure  central  dataset,  which  in  turn  is  protected  by  various  methods,  including  firewalls.  Access  to  client 
information  by  employees  is  also  controlled  and  monitored. 

All  personal  information  provided  is  protected  under  the  federal  Privacy  Act  of  Canada. 

3.5.2  NEXUS 

NEXUS  is  a  joint  program  between  the  U.S.  Customs  and  Border  Protection  (CBP)  and  Canada  Border  Services 
Agency  (CBSA),  which  facilitates  the  simplified  security  processing  for  pre-approved  travelers.  The  program  was 
originally  established  in  2002  as  part  of  the  Shared  Border  Accord  between  the  United  States  and  Canada,  and  has 
since  expanded  to  include  the  management  of  travel  lanes  at  airports,  waterways,  and  land  crossings.  NEXUS 
biometric  data  consists  of  digital  fingerprints,  iris  scan,  and  a  facial  photograph. 

Additionally,  membership  with  NEXUS  fulfills  the  travel  document  requirements  of  the  Western  Hemisphere  Travel 
Initiative  (WHTI)  that  requires  all  U.S.  and  Canadian  citizens  to  hold  a  government  issued  passport  or  other  secure 
travel  document  when  seeking  entry  or  re-entry  into  the  U.S.  by  air.  There  are  currently  383,000  approved  travelers 
in  the  NEXUS  program,  which  has  been  implemented  at  16  border  crossing  locations,  33  marine  locations  in  the 
Great  Lakes  and  Seattle,  Washington  regions,  and  eight  international  airports  in  Canada,  including  Vancouver 
International  Airport,  Toronto  Pearson  International  Airport,  and  Calgary  International  Airport.  NEXUS  self-service 
kiosks  employ  iris  recognition  technology  to  quickly  screen  travelers,  allowing  them  to  bypass  customs  and 
immigration  lines.  Enrollment  in  the  program  consists  of  a  basic  background  check,  fingerprint  capture,  and  iris 


Figure  10:  CANPASS  trusted  traveler  program 
citizenship  and  residency  information. 
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capture.  Membership  lasts  for  5  years.  As  of  January  2011,  all  NEXUS  members  can  utilize  Global  Entry  Kiosks  at 
participating  airports. 


Applicants  are  screened  for  citizenship  and  immigration  status,  checked  for  criminal  history  and  positive  matches  on 
U.S.  Federal  Bureau  of  Investigation  (FBI),  Canadian  Security  Intelligence  Service  (CSIS),  Royal  Canadian 
Mounted  Police  (RCMP),  United  Nations,  and  Interpol  terrorism  and  no-fly  list  datasets  and  United  Kingdom  Police 
National  Computer.  The  information  provided  by  each  applicant,  including  supporting  documentation  and  biometric 
data,  is  collected  under  the  Customs  Act  and  is  protected  under  the  Privacy  Act.  The  information  will  be  used  to 
make  a  determination  of  your  application  and  the  operation  of  the  programs,  and  are  shared  with  other  government 
agencies  in  Canada  and  the  United  States  of  America.  Finally,  the  information  will  be  retained  in  the  Personal 
Information  Bank  #CBSA  PPU  031,  which  could  be  obtained  by  participants  of  the  program. 

Since  the  NEXUS  air  and  land  programs  were  merged  in  2007,  interest  in  the  CANPASS  program  has  declined, 
since  NEXUS  provides  a  broader  range  of  services  at  the  same  price,  including  both  expedited  Canadian  and  U.S. 
immigration  at  Canadian  airports.  The  most  likely  reason  an  individual  would  be  inclined  to  use  CANPASS  rather 
than  NEXUS  is  because  he  or  she  is  deemed  ineligible  for  NEXUS  by  the  United  States. 
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4  Biometric  Privacy-Enhancing  Techniques 


4.1  Introduction 

Experts  in  biometrics  and  information  security  widely  recognize  the  danger  of  processing,  transmitting,  and  storing 
biometric  information  in  the  clear.  Biometric  templates  are  sensitive  representations  of  their  owners,  and  the  theft  or 
misuse  of  them  can  incur  serious  injury.  International  standards  on  the  secure  management  of  templates  have 
matured  insofar  as  how  they  are  stored  and  transmitted.  Match-on-card  technologies  and  other  client-side  matching 
devices  have  taken  to  the  market  recently,  illustrating  the  progress  of  biometric  data  safeguarding  technologies. 
Ironically,  there  remains  to  be  a  definitive  agreement  on  how  to  store  biometric  templates  in  a  format  that  secures 
their  owners  from  identity  theft  in  the  event  that  the  templates  are  stolen. 

Biometric  template  protection  methods  are  processes  by  which  biometric  templates  are  transformed  into 
pseudonymous  identifiers  of  their  owners.  Reliable  pseudonymous  identifiers  are  secure  and  robust,  preserving  the 
anonymity  of  their  owners  while  reliably  distinguishing  them  from  other  individuals.  Such  processes  represent  a 
mere  step  in  the  flowcharts  most  security  protocols,  but  arguably  they  uphold  privacy  in  biometric  systems  at  a  most 
fundamental  level.  Thus  biometric  template  protection  methods  are  continuing  to  mature  in  a  rigorous  academic 
debate  as  they  have  been  for  about  a  decade.  Commercial  and  governmental  organizations  have  not  yet  widely 
adopted  template  protection  methods  in  their  existing  biometric  products  or  systems;  however  a  handful  is  investing 
in  the  research  and  development  of  such  methods. 

This  report  describes  many  template  protection  methods  that  have  matured  in  the  academic  discourse.  These 
methods  are  not  mutually  exclusive,  but  for  organizational  purposes  they  are  divided  into  loose  categories.  Each 
overarching  method  is  introduced  with  an  overview  that  covers  its  general  methodology,  known  vulnerabilities  and 
defence  strategies,  and  typical  performance  rates.  Security  vulnerabilities  are  analyzed  insofar  as  they  pertain  to  the 
privacy  of  the  user,  whereby  the  inversion  of  a  protected  template  would  compromise  the  confidentiality  of  the 
user’s  identity.  Commercial  developments  in  template  protection  are  reviewed  separately  from  those  in  academia. 
The  bibliography  lists  references  for  every  article  and  patent  reviewed  in  this  report  and  lists  other  relevant  articles 
not  necessarily  reviewed  or  referenced  in  the  report,  such  as  attack  strategies  on  well  known  template  protection 
methods.  Appended  to  the  report  is  a  summary  of  the  test  results  for  every  empirical  study  reviewed. 
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4.2  Summary  of  Approaches 


Figure  1 1  summarizes  the  approaches  examined  for  this  Study. 


Article 

Method 

Notes 

Al-Assam  et  al.  (2009) 

Projeetion 

Redueed  the  projeetion  method  to  two  steps,  eliminating  the  need  for  the 
eommonly  used  Gram-Sehmitd  algorithm. 

Alvarez  et  al.  (2009) 

Fuzzy 

Produeed  vault  sets  that  were  resistant  to  eross-matehing  by  salting  the 
minutiae  point  eoordinates  with  a  seeret  key. 

Ang  et  al.  (2009) 

Transform 

Produeed  eaneelable  biometries  by  using  a  revoeable  key  in  the 
transform  funetion. 

Ballard  et  al.  (2008) 

Multifaetor 

User  password  and  random  oraeles  influeneed  the  generation  of  keys  to 
improve  entropy,  regardless  of  modality. 

Barhosa  et  al.  (2008) 

Homomorphie 

Salted  keys  with  random  oraeles  to  improve  entropy. 

Bami  et  al.  (2010) 

Homomorphie 

Borrowed  elements  of  Paillier  and  ElGamal  eryptosystems  using 
elliptieal  eurves  to  save  bandwidth  during  eneryption. 

Boult  et  al.  (2007) 

Transform 

Divided  input  biometrie  into  stable  and  unstable  bits,  eneoding  the 
stable  and  preserving  the  unstable  to  aid  authentieation.  Minimized 
tradeoff  between  seeurity  and  performanee. 

Chen  and  Chandran  (2007) 

Transform 

Applied  an  iterative,  bispeetral  transform  and  Reed- Solomon  error 
eorreetion  eodes. 

Chen  et  al.  (2009) 

Parametrie 

Generated  keys  from  statistieal  measurements  of  input  behavior. 

Chikkerur  et  al.  (2008) 

Projeetion 

Generated  signatures  from  loeal  image  patehes  around  minutiae  points 
rather  than  their  eoordinates.  Required  no  alignment  of  the  minutiae. 

Claney  et  al.  (2003) 

Fuzzy 

First  biometrie  implementation  of  fuzzy  eryptosystem. 

Costanzo  (2004) 

Parametrie 

Generated  eryptographie  keys  from  the  aggregation  of  parameterized 
measurements.  Original  biometrie  data  not  used  to  produee  the  keys. 

Freire-Santos  et  al.  (2006) 

Fuzzy 

Introdueed  automatie  alignment  of  fingerprint  images. 

Hao  et  al.  (2002) 

Parametrie 

Developed  a  PKI  system  that  produeed  keys  from  enerypted  biometrie 
templates. 

Hao  et  al.  (2006) 

Multifaetor 

Produeed  nearly  error- free  eodes  by  preproeessing  biometrie  data  with 
Reed- Solomon  and  Hadamard  eodes. 

Hirata  and  Takahashi  (2009) 

Transform 

Applied  minimum  average  eorrelation  energy  filters  to  produee 
templates  that  were  eomparable  in  the  enerypted  domain.  0%  EER 
reported. 

Huang  et  al.  (2011) 

Homomorphie 

Server  gains  no  knowledge  of  the  raw  input  data.  Among  the  most 
eomputationally  effieient  methods. 

Jin  et  al.  (2009) 

Aggregation 

Generated  bit  strings  from  the  angle  and  oeeurrenees  of  minutiae  within 
random  triangles. 

Kanade  et  al.  (2010) 

Multifaetor 

Improved  entropy  by  preproeessing  biometrie  data  with  Reed-Solomon 
and  Hadamard  eodes  and  salting  key  with  password. 

Linnartz  and  Tuyls  (2003) 

Fuzzy 

Introdueed  delta-eontraeting  and  epsilon-revealing  funetions  to  produee 
anonymized  representations  of  the  original  biometrie. 

Maiorana  et  al.  (2008) 

Transform 

Used  hidden  Markov  models  to  eompare  templates  in  the  enerypted 
domain. 

Merkle  et  al.  (2010) 

Fuzzy 

Exponentially  improved  the  entropy  of  vault  sets  by  superimposing  data 
from  multiple  fingerprints. 

Monrose  et  al.  (2001a) 

Multifaetor 

Authentieation  based  on  password  and  keystroke  behavior.  Deeision 
made  in  a  single  input.  Adapted  to  ehanges  in  behavior  over  time. 

Monrose  et  al.  (200  Ih) 

Multifaetor 

Authentieation  based  on  password  and  voiee  measurements.  Deeision 
made  in  a  single  input.  Adapted  to  ehanges  in  behavior  over  time. 

Nagar  et  al.  (2009) 

Fuzzy 

Improved  entropy  and  matehing  performanee  by  ineluding  minutiae 
deseriptors  in  the  vault  sets. 

Nagar  et  al.  (2010) 

Aggregation 

Extended  the  method  of  Suteu  et  al.  (2008)  to  inelude  fingerprint  ridges. 
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Article 

Method 

Notes 

Nandakumar  et  al.  (2007) 

Fuzzy 

Produced  cancelable  vaults  by  salting  them  with  user-supplied 
passwords. 

Nandakumar  and  Jain  (2008) 

Fuzzy 

Produced  multimodal  vault  sets  to  exponentially  improve  the  entropy  of 
vault  sets. 

Orencik  et  al.  (2008) 

Fuzzy 

Developed  an  algorithm  that  arranged  chaff  points  in  a  more  realistic 
manner  than  uniform  randomness. 

Ouda  et  al.  (2010) 

Projection 

Randomly  mapped  consistent  bits  of  biometric  data  to  encode 
cryptographic  keys.  Keys  could  be  cancelled  by  changing  the  value  of 
the  random  seed. 

Rane  et  al.  (2009) 

Homomorphic 

Extend  the  method  by  Sutcu  et  al.  (2008),  applying  Slepian-Wolf 
syndromes  and  LDPC  codes  on  irises  and  fingerprints. 

Scheirer  and  Boult  (2008) 

Transform 

Generated  tokens  that  can  be  re-encoded  to  form  hierarchies  of  trust,  in 
the  same  way  certificate  authorities  issue  digital  certificates. 

Scheirer  and  Boult  (2009) 

Transform 

Only  reliable  bits  stored  in  the  vault  set.  Allegedly  resistant  to  rotations 
and  translations  among  inputs. 

Shi  et  al.  (2008) 

Transform 

Plotted  minutiae  points  on  a  polar  coordinate  system,  centered  on  a 
region  of  interest. 

Soutar  et  al.  (1999) 

Transform 

Transformed  fingerprint  images  rather  than  features.  Produced  keys 
usable  in  AES. 

Sutcu  et  al.  (2007) 

Fuzzy 

Improved  matching  performance  by  quantizing  the  input  and  mapping 
the  coefficients  to  discrete  domains  prior  to  constructing  the  vault  set. 

Sutcu  et  al.  (2008) 

Aggregation 

Generated  bit  strings  from  the  occurrences  of  minutiae  within  random 
cuboids.  Implemented  Slepian-Wolf  syndrome  codes. 

Takahashi  and  Hirata  (2009) 

Transform 

Developed  an  image  chip  matching  algorithm  that  uses  correlation 
invariant  random  filters. 

Teoh  et  al.  (2007) 

Projection 

Applied  multispace  random  projections  to  the  method  by  Teoh  et  al. 
(2004),  preserving  security  in  stolen-token  scenarios. 

Teoh  et  al.  (2004) 

Multifactor 

Minutiae  coordinates  and  tokenized  random  number  influenced 
cryptographic  key  generation.  0%  EER  reported. 

Uludag  and  Jain  (2006) 

Fuzzy 

Appended  a  checksum  to  the  vault  set,  eliminating  the  practical  need  for 
error  correction  codes. 

Van  der  Veen  et  al.  (2006) 

Fuzzy 

Optimized  the  fuzzy  vault  scheme  for  use  by  machine  readable  travel 
documents. 

Vielhauer  et  al.  (2002) 

Parametric 

Generated  cryptographic  keys  from  parameterized  measurements  of 
biometric  inputs.  No  original  samples  saved. 

Yang  et  al.  (2010) 

Projection 

Revised  method  by  Teoh  et  al.  (2007)  to  support  dynamic  and  nonlinear 
projections,  improving  resistance  to  reverse  engineering. 

Ye  et  al.  (2009) 

Homomorphic 

Implemented  k-anonymity  to  prevent  the  server  from  directly  examining 
the  input  biometric. 

Zheng  et  al.  (2006) 

Fuzzy 

Introduced  lattice  mapping  as  an  alternative  means  for  constructing 
vault  sets. 

Figure  1 1 :  Summary  of  Biometric  PETs  Evaluated  in  this  Study 
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4.3  Fuzzy  Cryptosystems 


A  “sketch”  or  “vault”  is  a  secured  template  whose  development  can  be  traced  to  the  “fuzzy  vault”  scheme  proposed 
by  Juels  and  Sudan  (2002).  The  scheme  was  designed  to  encrypt  data  such  that  it  could  be  unlocked  by  similar  but 
inexact  matches.  Variants  of  the  fuzzy  vault  scheme  are  referred  to  more  generally  as  fuzzy  cryptosystems.  The 
method  lent  itself  well  to  the  protection  of  biometric  templates,  where  inputs  are  inconsistent  due  to  lighting, 
rotation,  etc.  The  mechanism  for  obfuscating  data  in  fuzzy  cryptosystems  is  to  insert  random  noise  that  resembles 
genuine  minutiae  points  or  other  features.  In  doing  so  an  attacker  cannot  easily  differentiate  genuine  features  and 
false  features.  Most  variations  of  this  system  follow  key  release  protocols,  though  some  generate  keys  from  the 
biometric  data.  The  key  generation  variant  was  pioneered  by  Dodis  et  al.  (2008)  and  is  often  referred  to  as  a  “fuzzy 
extractor.”  Fuzzy  cryptosystems  are  perhaps  the  most  practiced  and  debated  template  protection  methods  in 
academia.  As  a  result  there  is  a  wealth  of  literature  on  the  security  vulnerabilities  and  countermeasures  to  mitigate 
these  vulnerabilities,  making  this  method  among  the  most  mature  of  all  template  protection  methods  despite  its 
many  shortcomings. 

Given  its  inherent  weakness  to  collusion  attacks,  fuzzy  cryptosystems  should  be  employed  only  in  an  environment 
where  access  to  the  template  storage  device  is  reliably  secure.  Furthermore  they  are  better  suited  for  applications 
that  enroll  multimodal  biometrics.  This  ensures  that  the  vault  set  retains  a  high  level  of  entropy  to  resist  brute  force 
attacks.  Applications  endowed  with  greater  computing  power  should  consider  alternative  template  protection 
methods  that  offer  a  greater  level  of  security  at  the  expense  of  computational  efficiency.  To  the  extent  possible  given 
practical  constraints,  a  fuzzy  cryptosystem  should  make  use  of  the  strategies  proposed  by  Poon  and  Miri  (2009)  and 
Mihailescu  (2007)  to  harden  the  vault  set  against  collusions  attacks  and  brute  force  attacks. 

4.3.1  Method 

Three  steps  generally  constitute  the  protocol  for  fuzzy  cryptosystems: 

•  Feature  extraction 

Biometric  feature  data  are  recorded  onto  a  set  that  represents  the  original  or  “genuine”  biometric  features.  This  is 
referred  to  as  the  genuine  set.  Among  the  articles  reviewed,  the  most  widely  adopted  structure  for  this  set  consisted 
of  the  coordinates  and  angles  mi=(x,y,0)  of  fingerprint  minutiae.  The  ordinate  values  of  the  minutiae  points  are 
encrypted  by  a  secret  polynomial p.  A  genuine  set  G  of  n  minutia  points  mn  is  expressed  verbosely  as 

G=(mi,m2,  ...mn)=((xj,p(yi),0j),(x2,p(y2),02),  ...,(Xn,p(yn)A)) 


•  Noise  generation 

Random  data  is  recorded  onto  a  set  that  represents  counterfeit  biometric  features.  This  is  referred  to  as  the  “chaff’ 
set.  The  chaff  set  serves  as  a  decoy,  such  that  anyone  reading  the  template  could  not  easily  distinguish  genuine 
points  from  chaff  points.  To  be  effective,  it  must  be  structured  in  the  same  fashion  as  the  genuine  set  but  should 
contain  many  more  points  to  augment  the  entropy  of  the  vault  set.  The  number  of  chaff  points  that  can  be  generated 
without  ruining  verification  performance  is  limited  by  the  size  of  the  image.  A  chaff  set  C  of  i  chaff  points  Cn  is 
expressed  verbosely  as 


C=(ci,  Ci,  ...Cn)=( (xi,p(yi),  ei),  (x2,p(y2),  ^2  A  •  •  •,  (^i,p(yi),  eO) 


•  Point  Shuffling 

The  genuine  and  chaff  sets  are  combined  and  shuffled  by  a  function  S  to  create  a  secure  set,  referred  to  in  the 
literature  as  a  vault  or  sketch.  A  vault  set  V  of  n  +  i  points  Vn+i  is  expressed  verbosely  as 


In  a  coordinate  pair  (x,y),  y  represents  the  ordinate. 
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V=(Vi,V2,...V„^i)=S(GUC)=S((gi,g2,...gn),(Cl,C2,...Ci)) 


The  system  must  decode  the  sketch  before  it  can  match  the  data  against  inputs.  First  it  must  distinguish  the  genuine 
data  from  the  random  noise.  It  achieves  this  through  polynomial  reconstruction,  which  typically  requires  the  use  of 
error  correction  codes  and  “helper  data.”  Typically  the  similarity  between  an  input  and  a  stored  template  is  scored  by 
measuring  their  Hamming  distance. 

4.3.2  V  ulner  abilities 

Collusion  Attacks 

Early  fuzzy  cryptosystems  were  not  inherently  revocable.  An  attacker  could  compare  the  abscissa  values  between 
two  vaults  generated  from  the  same  fingerprint  to  identify  the  genuine  points  in  both  vault  sets.  If  an  attacker  is 
capable  of  breaching  one  dataset  and  stealing  data,  it  should  be  assumed  that  the  attacker  can  breach  other  datasets. 
An  attacker  that  obtains  vault  sets  from  multiple  datasets  can  identify  which  points  are  genuine  by  comparing  the 
sets  against  those  in  other  datasets.  While  the  chaff  points  will  be  different  for  two  vault  sets  from  the  same  user,  the 
abscissa  values  of  the  genuine  points  will  always  be  the  same;  thus  the  genuine  points  are  suggested  by  their 
consistency  among  vault  sets  across  multiple  datasets. 

Poon  and  Miri  (2009)  designed  algorithms  for  executing  collusion  attacks  on  fuzzy  cryptosystems,  which  assumes 
that  an  attacker  has  access  to  multiple  vaults  locked  by  the  same  fingerprint  stored  on  multiple  datasets  or  smart 
cards.  The  attack  involves  the  comparison  of  points  across  multiple  vault  sets  and  singles  out  the  points  which 
appear  in  more  than  one  vault.  By  a  process  of  elimination,  the  size  of  the  vaults  can  be  reduced  until  the  remaining 
points  are  deemed  genuine  with  a  high  degree  of  confidence.  The  researchers  proposed  several  strategies  for 
mitigating  the  risk  of  collusion  attacks,  one  of  which  was  to  apply  a  one-way  transform  to  the  vault  set. 

Nandakumar  et  al.  (2007)  proposed  a  variation  of  the  fuzzy  cryptosystem  that  mitigated  collusion  attacks  by  using 
multifactor  authentication,  using  a  password  or  token  to  alter  the  key  generation  process. 

Brute  Force  Attacks 

The  application  of  a  fuzzy  cryptosystem  on  a  fingerprint  image  typically  produces  low  entropy  vault  sets.  This 
makes  the  templates  susceptible  to  brute  force  attacks  and  incompatible  for  use  as  cryptographic  keys  in  common 
security  protocols  like  AES,  which  require  a  minimum  key  length  of  128  bits.  Mihailescu  (2007)  analyzed  the  ability 
of  fuzzy  cryptosystems  to  resist  brute  force  attacks.  While  the  seemingly  obvious  solution  would  be  to  generate 
more  chaff  points,  the  researcher  noted  that  the  number  of  chaff  points  that  can  be  generated  is  limited  both  by  the 
size  of  the  image  and  by  the  variance  of  the  genuine  minutiae  points.  The  researcher  proposed  several  strategies  for 
mitigating  the  risk  of  brute  force  attacks:  (1)  enroll  multiple  fingerprint  images  to  augment  the  entropy  of  the  vault 
set  exponentially;  (2)  generate  a  non-random  distribution  of  chaff  points  by  laying  a  hexagonal  grid  on  the 
fingerprint  template,  such  that  each  grid  point  is  associated  with  a  point,  be  it  chaff  or  genuine. 

The  means  of  maintaining  data  integrity  some  variations  of  the  fuzzy  cryptosystem  opened  the  door  to  brute  force 
attacks.  Uludag  and  Jain  (2006)  and  Nandakumar  and  Jain  (2008)  appended  a  checksum  to  the  vault  set  which 
allowed  the  server  to  determine  if  a  match  was  successful  more  efficiently.  Mihailescu  (2007)  observed  that  while 
this  method  enhanced  system  performance,  it  would  allow  an  attacker  to  understand  in  real  time  when  an  attempted 
brute  force  attack  succeeds.  To  use  checksums  therefore  facilitates  the  execution  of  offline  brute  force  attacks. 


Researchers  have  also  identified  another  vulnerability  whereby  an  attacker  can  substitute  some  of  the  chaff  points 
in  the  vault  set  with  his  or  her  own  genuine  points,  thus  enabling  the  system  to  recognize  the  attacker  as  legitimate. 
While  this  is  concerns  the  security  of  the  method,  it  does  not  concern  the  privacy  of  the  user  and  therefore  falls 
outside  the  scope  of  this  report. 

In  a  coordinate  pair  (x,y),  x  represents  the  abscissa  value. 

See  Mihailescu  (2007):  7-8. 
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Nandakumar  and  Jain  (2008)  and  Merkle  et  al.  (2010)  proposed  the  enrollment  of  multiple  fingerprints  and 
multimodal  biometrics  to  exponentially  increase  the  size  of  the  vault  set.  The  multiple  fingerprint  vault  set,  which 
performed  better  than  the  multimodal  vault  set  in  a  test  by  Nandakumar  and  Jain  (2008),  achieved  a  size  of  224  bits 
where  the  error  rates  were  lowest.  Unfortunately  the  solutions  proposed  in  both  publications  would  be  unacceptable 
in  most  existing  fingerprint  applications,  which  were  designed  to  enroll  and  match  a  single  fingerprint  image. 

Information  Leakage 

Most  fuzzy  cryptosystems  store  public  auxiliary  information,  referred  to  in  the  literature  as  “helper  data,”  to  reduce 
intraclass  variance,  thereby  enhancing  the  verification  performance  of  the  system.  Helper  data  derives  from  the 
original  biometric  input.  Uludag  and  Jain  (2006),  for  example,  used  the  maximum  curvature  points  and  the 
corresponding  curvature  values  from  the  orientation  flow  curves  of  the  minutiae.  The  caveat  is  that  the  helper  data 
leaks  trace  amounts  of  information  on  the  original  biometric,  making  it  easier  to  reverse  engineer  the  original 
biometric  from  the  vault  set.  Most  researchers  claimed  that  the  amount  of  information  leaked  is  trivial,  but  the 
security  risk  should  be  assessed  nonetheless. 

4.3.3  Performance 

Empirical  tests  on  the  performance  of  fuzzy  cryptosystems  have  produced  mixed  results.  Researchers  have  applied 
the  method  to  face,  iris,  fingerprint,  signature,  ear,  and  multimodal  biometrics.  None  of  the  key  binding  variations 
met  the  performance  target  of  1%  ERR  at  0.1%  FAR,  and  only  one  key  generating  variation  met  the  target.  Van  der 
Veen  et  al.  (2006),  whose  method  was  eventually  developed  into  an  algorithm  now  sold  in  products  by  priv-ID, 
achieved  the  best  results  using  a  key  binding  variation  against  face  images  at  0.25%  EER.  An  implementation  of  the 
method  by  Linnartz  and  Tuyls  (2003)  yielded  the  best  results  using  a  key  generating  method  against  ear  biometrics 
at  0.6%  ERR  at  0.05%  FAR,  which  meets  the  performance  target.  Ironically,  as  researchers  invested  so  much  time  in 
the  development  of  fuzzy  cryptosystem  for  fingerprints,  the  method  has  yet  to  produce  acceptable  performance  rates 
for  that  modality. 

4.3.4  Articles 
Clancy  et  al.  (2003) 

At  the  time  of  this  publication,  smartcards  had  become  a  common  technology  and  concerns  grew  over  the  security  of 
private  keys  stored  in  the  cards.  Clancy  et  al.  proposed  a  framework  for  a  smartcard  system  in  which  the  private  key 
was  encrypted  and  decrypted  by  an  authorized  fingerprint.  The  proposed  method  was  the  first  variation  of  the  fuzzy 
vault  scheme  by  Juels  and  Sudan  (2002).  Referred  to  by  the  researchers  as  a  “fingerprint  vault,”  the  proposed 
method  used  the  coordinates  of  fingerprint  minutiae  to  encrypt  and  decrypt  the  private  key. 

Method 

For  each  transaction  the  user  presents  a  fingerprint  image  from  which  a  vector  of  features  are  extracted.  For  the 
purpose  of  this  paper,  the  researchers  treated  the  extraction  and  alignment  of  features  as  a  black  box.  The  minutiae 
coordinates  m/=(x/,y/)  form  the  basis  of  the  key  used  to  lock  the  vault.  To  handle  intraclass  variations,  a  matrix  of 


likely  minutiae  locations  (x  ;,y  j)  from  a  given  minutiae  set  is  constructed  using  an  additive  Gaussian  noise  model. 


Chaff  points  are  added  to  obfuscate  the  fingerprint  data.  To  prevent  quantization  errors,  the  chaff  points  must  not  be 
placed  too  close  to  the  genuine  points  or  to  themselves.  The  researchers  use  a  circle  packing  algorithm  to  generate  as 
many  chaff  points  as  possible  within  the  limited  space  while  maintaining  sufficient  randomness. 

During  enrollment,  the  user  presents  N  fingerprint  images  resulting  in  N  minutiae  sets,  bl,b2. .  .bN.  To  derive  the 
locking  set  L,  let  A  be  the  set  of  average  points  with  multiplicity.  For  each  minutiae  mi  in  each  set  bn  elements  are 
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selected  from  nk  G  A  where  |nk-mk|<T.  If  no  matches  are  found,  mj  is  added  to  A  with  a  multiplicity  of  one; 


otherwise  mi  is  added  to  the  average  and  the  multiplicity  is  increased  such  that  A={a  E  A:  multiplicity(a)>S}.  Figure 


12  illustrates  how  the  reliable  minutiae  point  regions  are  determined  after  several  training  enrollments. 

During  authentication,  the  user  presents  a  single  fingerprint  image  from  which  a  minutiae  set  U  is  derived.  For  each 
point  in  the  set,  the  system  finds  the  closest  point  in  the  vault  set.  They  used  the  Berlekamp-Massey  algorithm,  a 
variation  of  Reed-Solomon  decoding,  to  unlock  the  vault.  The  secret  polynomial  can  be  reconstructed  if  at  least 
(a+n)/2  points  in  the  query  set  match  a  genuine  point  in  the  vault  set,  where  a  represents  the  radius  of  the  reliable 
minutiae  regions. 
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Figure  12:  Example  of  reliable  minutiae  regions 
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Performance 


The  researchers  tested  the  proposed  method  against  fingerprint  images.  They  achieved  -30%  FRR  at  -0%  FAR, 
which  is  unacceptable  in  many  applications.  False  match  rates  and  false  non-match  rates  rose  as  the  polynomial 
degree  and  number  of  chaff  points  rose.  Uludag  et  al.  (2004)  noted  that  this  method  required  fingerprint  images  to  be 
pre-aligned  in  order  to  perform  well  and  that  it  was  not  tested  in  a  sufficiently  realistic  environment.  Therefore  the 
method  required  significant  tuning,  as  would  happen  in  the  development  of  the  fuzzy  cryptosystem. 

Linnartz  and  Tuyls  (2003) 

Linnartz  and  Tuyls  were  concerned  with  the  unauthorized  collection  and  misuse  of  biometric  templates,  which  at  the 
time  were  often  stored  in  the  clear.  They  attempted  to  obfuscate  templates  as  a  means  to  safeguarding  the  privacy  of 
their  owners.  The  proposed  method  used  transform  functions  to  irreversibly  anonymize  biometric  information.  Their 
study  was  the  first  to  concern  itself  not  just  with  the  ability  to  produce  cryptographic  keys  from  biometric  data  but  to 


Umut  Uludag  et  al.,  “Biometric  Cryptosystems:  Issues  and  Challenges,”  Proceedings  of  the  IEEE  92  (2004):  956. 
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safeguard  the  privacy  of  biometric  data.  The  theory  behind  the  methodology  was  foundational  to  the  work  of  Dodis 
et  al.  (2008). 

Method 


At  a  high  level,  a  feature  measurement  Y  is  extracted  from  the  biometric  image  that  a  user  presents  upon  enrollment. 
A  signal  processing  function  G=(W,Y)  quantizes  the  supplied  information  to  reduce  noise.  The  refined  data 
Z=G(W,Y)  is  then  obfuscated  by  a  hash  function  F  to  produce  a  secure,  noninvertible  template  U=F(Z).  The  signal 
processing  function  G  is  applied  to  the  input  data  to  ensure  that  the  input  values  are  mapped  to  the  same  values  as 
those  in  the  stored  template. 

For  the  dimension  (1,2,. .  .i,. .  .,n7,n7=n2)  of  Y,  W,  and  Z  the  5-contracting  function  is  expressed  as 


= 


T  if  2nq  <  -h  <  (2n  +  l)q  for  any  n  = 
,0  if  (2n  —  l)q  <  y^  -h  Wj  <  2nq  for  any  n  = 


-1,0,1  ... 
-1,0,1  ... 


where  q  is  the  quantization  step  size  and  w  is  the  watermark  of  quantization  index  modulation.  During  enrollment, 
Xf  is  measured  and  the  certifying  authority  finds  a  Wf  such  that  the  value  of  y^  +  Wf  is  pushed  to  the  nearest  lattice 
point  where  X/+W/+  a  is  quantized  to  the  same  Zf  for  any  small  a  .The  watermark  w  is  expressed  as 


(2n  +^q-Xi 

(zn 


ifSj  =  1 
if  Si  =  0 


where  n=-*-,-l,0,l . . .  is  chosen  such  that  -q  <  W/  <  q.  The  value  of  n  is  discarded  while  the  values  of  w  are  used  as 


helper  data  in  subsequent  transactions. 

Performance 

The  researchers  discussed  the  theory  behind  the  proposed  method  in  theory  but  did  not  test  empirically.  But  it  was 
implemented  in  a  subsequent  study  by  Tuyls  et  al.  (2004),  who  tested  the  proposed  method  against  360  ear  images 
from  45  unique  individuals.  They  achieved  0.6%  FRR  at  0.5%  FAR  where  mean  key  length  1  =  370  and  a=2.0. 

These  are  the  best  results  achieved  by  a  fuzzy  cryptosystem  among  those  review  in  this  report.  They  observed  that 
FRR  falls  as  either  a  or  key  size  /  rises,  and  the  key  length  /  falls  as  a  rises. 

Van  der  Veen  et  al.  (2006) 

Van  der  Veen  et  al.  proposed  a  variation  of  the  fuzzy  vault  scheme  by  Juels  and  Sudan  (2002)  intended  for  use  in 
machine  readable  travel  documents.  The  proposed  method  was  one  of  the  few  fuzzy  cryptosystems  to  be  applied  to  a 
modality  other  than  fingerprints,  yet  it  was  among  the  best  performing  variants  reviewed  in  this  report.  Van  der 
Veen  is  now  the  CEO  of  priv-ID,  a  leading  provider  in  privacy  enhancing  technologies  for  biometrics,  and  the  other 
researchers  in  the  report  have  filed  multiple  applications  for  patents  on  biometric  template  protection. 

Method 


The  researchers  cite  B.  Chen  and  G.W.  Wornell,  1998,  “Digital  Watermarking  and  Information  Embedding  Using 
Dither  Modulation,”  in  IEEE  Workshop  on  Multimedia  Signal  Processing  47(4):  1423-1443. 
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During  enrollment,  the  user  presents  a  face  image  and  fiduciary  features  are  extracted  from  the  image  in  the  form  of 
a  vector  X.  19  The  feature  vector  is  immediately  converted  into  a  codeword  vector  C  using  from  an  error  correction 
code.  The  vector  is  mapped  onto  a  random  vector  to  be  used  as  helper  data  during  authentication.  The  helper  data 

signal  W  is  defined  as  the  difference  between  the  codeword 
vector  and  the  feature  vector,  such  that  W  x=C  x-X.  Figure  13 
illustrates  the  algorithm  during  enrollment  and  authentication 
of  the  proposed  helper  data  algorithm  developed  in  a  prior 
publication.  During  authentication  the  correct  point  is  selected 
within  a  given  radius  a. 
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Figure  13:  Enrollment  (a)  and  authentieation  (b) 
proeedures  in  the  proposed  helper  data  algorithm 


Then  the  vector  is  quantized  into  a  binary  feature  vector  Q/ 
such  that  for  each  user  i 


{ 0 


if 

if 


(A)t 

(A)t 


Where  i  ^  is  the  mean  of  the  enrollment  feature  vector,  t  is  the  component  number,  and  (i  is  the  mean  of  the 


intraclass  variability.  Citing  the  unreliability  of  the  researchers  selected  only  the  most  reliable  components  from 
each  vector  resulting  in  Z^.  The  vector  is  then  ready  to  be  protected.  To  achieve  this  they  employed  an  error 
correction  code  with  parameters  (K,s,d)  where  K  is  the  length  of  the  codeword,  s  is  the  number  of  information 


symbols,  and  d  is  the  number  of  errors  that  can  be  corrected.  First,  a  random  binary  sequence  Sn)  G  {0,1 }  Ms 


generated  and  encoded  into  a  codeword  C/.  Then  the  second  helper  data  signal  W2  is  determined  where 


W2,=  Q©Z, 


The  data  (i,Wfx),W2/£),h(S;X)))  is  saved  to  a  storage  device  and  will  be  referenced  during  authentication,  where  h(Sij)) 
is  the  hash  value  of  the  binary  sequence  Sid.  When  the  user  attempts  to  authenticate,  a  vector  of  reliable  features  is 
extracted  from  the  query  face  image.  Template  information  (i,Wf x),W2//),h(S/£)))  is  pulled  from  the  storage  device. 
Both  i  and  W1;X)  are  used  to  derive  the  binary  feature  vector  Z\j)  which  is  necessary  for  determining  the  codeword 
C'iD  such  that 


Decoding  C'iD  leads  to  the  recovery  of  the  secret  S' id  and  its  hash  value  h(S//)).  Authentication  is  successful  if  this 
hash  value  matches  that  stored  in  the  system. 

Performance 

The  researchers  tested  the  proposed  method  against  one  dataset  with  237  faces  and  another  with  96  faces. 
Respectively  they  achieved  35%  FRR  at  0%  FAR  meeting  at  1.5%  EER;  and  3.5%  FRR  at  0%  FAR  meeting  at 
0.25%  EER.  The  images  that  yielded  more  accurate  results  had  smaller  dimensions,  fewer  fiducial  points,  a  smaller 


The  researchers  consider  six  such  features  in  this  publication:  left  and  right  eye,  left  and  right  eyebrow,  mouth,  and 
nose. 
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feature  vector  size,  and  less  interclass  variability.  The  security  of  the  method  might  appear  dubious  compared  to 
others  because  multiple  data  (i,Wl/£),W2/£),h(S//)))  are  saved  to  the  storage  device.  The  researchers  claimed  that  an 
attacker  cannot  retrieve  a  reliable  feature  vector  even  with  knowledge  of  the  helper  data  signal  W2/  and  hashed 
secret  h(S/). 

Zheng  et  al.  (2006) 

Zheng  et  al.  proposed  a  method  for  producing  highly  entropic,  noninvertible  keys  from  iris  images.  They  extended 
the  fuzzy  commitment  scheme  by  Juels  and  Sudan  (1999)  by  using  K-nearest  neighborhood  classification.  The 
lattice  functions  that  map  the  biometric  features  onto  lattice  spaces  are  the  only  elements  stored  in  the  protected 
template.  The  researchers  claimed  that  the  original  biometric  cannot  be  recreated  from  the  protected  template  even  if 
the  lattice  functions  are  compromised. 

Method 

For  each  transaction,  the  user  presents  a  biometric  image  from  which  a  feature  vector  x=(x7,X2. .  .x^)  is  extracted.  The 
system  generates  an  array  of  random  binary  strings  sp  stored  as  a  codeword  vector  c=(s7,S2. .  .s^).  The  codeword  is 
treated  as  the  coordinate  x  in  the  lattice  space  L(0,a),  where  O  is  its  origin  and  a  is  its  grid  size.  The  origin  O  is 
defined  as  an  array  0=(o7,02. .  .o^)  where  each  oi=xi-a-2aS/.  The  decoding  function  f()  maps  x  to  c  using  the  lattice 
system  L(0,a).  Each  codeword  element  S/  is  mapped  onto  a  vector  such  that 


-  Qi 

28 


i  = 


The  system  then  computes  the  secret  key  sk=h(c)  or  key  pair  (SK,PK)=K(c)  and  stores  the  lattice  system  L(0,a). 
During  authentication,  the  user  presents  a  biometric  image  and  attempts  to  unlock  the  codeword  stored  in  the 
system.  If  successful,  the  codeword  is  used  to  compute  the  secret  key  or  to  seed  K  to  derive  (SK^,PK7/).  The 
codewords  match  where 


^-1 : 

(  nol  c 


if 

if 


||x'  -x,||  <  S 
||x'  -x,||  >5 


Performance 

The  researchers  tested  the  proposed  method  against  150  iris  images.  They  achieved  ~2%  EER  where  K  =  7  and 
~1.5%  EER  where  the  grid  size  a=0.7.  Error  rates  fell  as  the  number  of  training  samples  rose. 

The  researchers  noted  that  the  security  of  the  protected  template  depends  on  the  hash  function  h(c)  or  the  key 
generator  K(c).  They  further  note  that  the  release  of  a  would  leak  trace  amounts  of  information  on  the  original 
biometric,  even  though  only  the  lattice  functions  are  stored  in  the  template.  The  templates  can  be  canceled  by 
altering  the  value  of  the  a. 

Uludag  and  Jain  (2006) 

Uludag  and  Jain  proposed  a  variation  of  the  fuzzy  vault  scheme  by  Juels  and  Sudan  (2002)  to  protect  fingerprint 
templates.  A  security  concern  in  the  original  scheme  was  its  tendency  to  leak  trace  amounts  of  information  on  the 
original  biometric  template,  which  theoretically  could  be  used  to  reverse  engineer  the  original  template  from  the 
protected  template.  The  goal  of  this  study  was  to  produce  a  more  robust  template  protection  method  in  which  helper 
data  leaks  no  sensitive  information  on  the  original  biometric.  The  proposed  method  did  not  include  error  correction 
codes  as  the  original  fuzzy  vault  scheme  did. 

Method 

During  enrollment  the  user  submits  a  fingerprint  image  from  which  a  feature  vector  is  extracted.  Minutiae  data  are 
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quantized  to  account  for  intraclass  variations.  Concomitantly,  a  128-bit  secret  string  is  randomly  generated  and  a  16- 
bit  cyclic  redundancy  check  (CRC)  is  generated  from  the  secret  string.  The  CRC  is  appended  to  the  secret  string, 
forming  a  144-bit  string.  This  string  can  be  represented  as  a  polynomial  p(u)  with  9  coefficients  with  degree  d=8 
such  that 


p(u)  =  CqU^  -I-  +  •••  -h  -h  Co 

The  bit  string  is  used  to  create  two  sets  of  point  pairs:  a  set  of  genuine  points  from  the  template  and  a  set  of  chaff 
points  randomly  generated  in  the  Galois  field  GF(2^^).  The  genuine  set  G  and  chaff  set  C  are  defined  respectively  as 


G  =  [(ui,p(yi)),(u2,p(y2)),  ...,(ww,p(yiv))] 

and 


c  —  [(^1,  diX  ^2)^  •••  '  ^m)] 

where  each  u  is  a  unique  minutiae  point  in  the  original  template,  p(u)  is  the  polynomial  of  u,  N  is  the  number  of  u;  c 
and  d  are  distinct  sets  of  random,  unique  points,  and  M  is  the  number  of  chaff  points.  Finally  the  genuine  and  chaff 


sets  are  combined  as  GuC  and  scrambled  into  the  vault  set  V,  such  that 


V  =  (Vi,W:^),Cv2,W2),....(VN+M>'^N+M) 

where  v  and  w  represent  the  scrambled  points,  N  represents  the  number  of  minutiae  templates,  and  M  represents  the 
number  of  chaff  points.  During  authentication  a  user  submits  N  query  minutiae  Q={u7*,U2*,. .  .,U7v*}  in  an  attempt  to 
unlock  vault  V.  Points  u^v*  are  compared  with  the  abscissa  values  in  V.  Any  vault  point  (Vf,w^)  that  matches  that  in 
the  input  is  recorded  to  a  set  to  be  verified  in  the  decoding  phase.  The  researchers  construct  the  Lagrange 
interpolation  of  the  polynomial  to  decode  the  vault  set.  From  a  given  vault  set  v=V7v+M,W7v+Mthe  corresponding 
polynomial  is 


P'(u) 


(u  -  i;2)(u  -  1^3) ...  (u  -  ^  ^  (u  -  q )(u  -  r.J  ...  (u  -  Vp) 

(q  -  V2KV1  -  Va)  ...  (q  -  -  172)  ... 


which  when  calculated  in  Galois  field  GF(2^^)  is  expressed  as 


p*iu)  =  i-  + - h  -t-  Cq 

If  at  least  D  +  1  query  minutiae  points  match  a  genuine  minutiae  point  in  the  vault  set,  the  correct  secret  S  will  be 
decoded  and  the  user  is  authenticated. 

Performance 

Uludag  and  Jain  tested  the  proposed  method  against  800  fingerprint  images  using  automatic  alignment.  They  mixed 
24  genuine  minutiae  points  with  200  chaff  points  per  vault.  The  results  from  two  trials  showed  27.4%  FRR  and 
15.5%  FRR^^  respectively  at  0%  FAR.  They  claimed  that  the  false  rejections  were  due  to  errors  in  helper  data  or 
poor  quality  input  images.  Their  implementation  of  the  iterative  closest  point  algorithm  aligned  input  features  to 
template  features,  something  that  other  researchers  at  the  time  had  neglected  to  consider. 

Freire-Santos  et  al.  (2006) 

Freire-Santos  et  al.  proposed  a  variant  of  the  fuzzy  vault  scheme  by  Juels  and  Sudan  (2002).  Prior  to  their  research. 


FRR  calculated  from  reported  GAR. 
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template  protection  methods  based  on  the  fuzzy  vault  scheme  required  manual  prealignment  of  the  input  images. 
Freire-Santos  attempted  to  align  the  input  images  w2automatically.  Their  methodology  follows  that  of  Uludag  and 
Jain  (2006). 

Method 

As  shown  in  Figure  14,  during  enrollment,  the  user  writes  a  signature  from  which  a  template  feature  vector  T  is 
extracted  in  the  form  of  N  16-bit  units.  A  checksum  of  S  is  appended  to  S.  A  polynomial  p(x)  is  then  constructed 
with  degree  D=K/16,  such  that 


p(x)  -  Six^  +. . .+  SdX^  +  Sd+1 

Polynomials  are  projected  for  all  points  in  the  feature  vector,  forming  genuine  set  G,  such  that 

G={ti,p(ti ),..., (tN,p(tN))} 

A  chaff  set  C  with  M  points  is  also  generated  where  di^(Ci)  such  that 

C={ci,di,. .  .,CM,dM} 


The  genuine  and  chaff  point  sets  GuC  are  scrambled  into  the  vault  set  V  such  that 


V={(vi,Wi ),. .  .(vn+m,Wn+m)} 


The  vault,  then,  is  nothing  more  than  a  disordered  union  of  the  genuine  and  chaff  point  sets.  That  the  two  sets  are 
arranged  in  a  random  fashion  makes  it  nearly  impossible  to  distinguish  genuine  and  chaff  points.  Only  by  knowing 
D  +  1  or  more  genuine  points  can  a  polynomial  be  reconstructed  to  distinguish  the  genuine  points. 


T 


Figure  14:  Encoding  process  (2006:  3) 


During  authentication,  the  user  presents  a  signature  from  which  a  template  feature  vector  Q  is  extracted.  To  unlock 
the  vault,  the  values  of  the  feature  vector  from  an  input  image  are  compared  against  those  in  the  vault.  Specifically  if 
any  point  ql  is  present  in  the  abscissa  values  of  the  vault  set,  then  the  point  will  be  used  as  a  candidate  to  reconstruct 
the  secret  polynomial.  The  secret  polynomial  is  interpolated  with  all  combinations  of  the  point  candidates  using  the 
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Lagrange  method,  also  used  by  Uludag  and  Jain  (2006).  If  the  division  between  this  new  polynomial  and  the  stored 
polynomial  is  equal  to  zero,  then  the  secret  is  valid  with  an  error  probability  of  2'^^;  otherwise  it  is  invalid. 

In  their  implementation,  Freire-Santos  et  al.  preprocessed  handwritten  signatures  by  omitting  the  first  and  last  10% 
of  the  images,  normalizing  the  shapes  based  on  the  center  of  mass  and  the  standard  deviations  of  the  function  values, 
and  smoothing  the  images  to  reduce  noise-related  errors.  They  constructed  their  vaults  using  the  maxima  and 
minima,  in  the  same  fashion  that  Uludag  and  Jain  (2006)  used  the  coordinates  of  fingerprint  minutiae. 

Performance 

The  researchers  tested  their  method  against  16,500  handwritten  signatures.  After  15,625  imposter  comparisons,  they 
achieved  57.30%  FRR  at  1.18%  FAR  and  0.32%  FAR  for  skilled  and  random  forgeries,  respectively.  These  results 
are  far  from  ideal,  but  it  should  be  noted  that  the  signature  modality  typically  yields  less  accurate  verification  rates 
than  fingerprint,  iris,  or  face  biometrics.  Further  testing  on  more  reliable  biometric  modalities  and  with  error 
correction  strategies  might  yield  lower  error  rates. 

Sutcu  et  aL  (2007) 

Sutcu  et  al.  critiqued  the  practical  application  of  existing  fuzzy  cryptosystems,  arguing  that  a  lot  of  entropy  would  be 
lost  when  generating  keys  from  quantized  templates.  They  described  a  cryptosystem  that  they  developed  in  a 
previous  work^^  and  applied  it  to  an  authentication  scheme  using  face  biometrics.  The  proposed  method  is  similar  to 
the  fuzzy  vault  scheme  proposed  by  Juels  and  Sudan  (2002). 

Method 

During  enrollment,  the  user  i  presents  a  biometric  image  from  which  a  feature  vector  Vi=[vii  v^. .  .ViJ^  of  size  n  is 
extracted  several  times  to  train  the  system.  Each  midpoint  v  y  and  range  size  by  of  the  feature  vectors  is  estimated 
from  the  training  set.  The  global  range  sizes  MNj=mint(mnij )  and  MXj=maxt(mXy )  are  quantized  into  a  codebook  Cj 
such  that 


Cj  =  [MNj  -  Vj,  MNj  -  Vj  +  8j,  MNj  -  Vj  +  28j . MNj  -  Vj  +  L/y} 

where  q  is  a  random  positive  number  and  Lj  is  an  integer  that  satisfies  MNj-rj+Lj  5j>MXj.  This  allows  the  data  to  be 
mapped  onto  a  discrete  domain,  which  was  a  requirement  of  the  fuzzy  vault  scheme  by  Juels  and  Sudan  (2002). 
Then  a  vault  set  Pi  is  derived  from  the  codebook  as  a  vector  expressed  as 

Pi=[Pil  Pi2.--Pikf 


where  each  P  is  defined  as 


Pij  =  -  Vij) 


and  where  is  the  codeword  in  that  is  closest  to  Fv)  .  Reconstruction  of  the  original  biometric  is 

successful  if 

n 

-dij  <  Qiivij)  <  dij(x  +  a)”  =  2 

k=0 


Qiming  Li,  Yagiz  Sutcu  and  Nasir  Memon,  2006,  “Secure  Sketch  for  Biometric  Templates,”  in  Lecture  Notes  in 
Computer  Science  4284(2006):  99-113. 
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where  the  discrete  range  size  dij=[5ij/8j  ]  is  the  user  specific  error  tolerance  bound  for  the  jth  component  and  the 


quantization  step  5j  is  defined  as  5j=a  min(5ij);  a  is  a  parameter  between  0  and  1.  During  authentication,  feature 
vectors  from  an  input  image  are  extracted,  trained,  and  quantized  in  the  same  fashion  as  the  enrollment  process.  If 
the  dataset  matches  that  of  one  stored  in  the  dataset,  authentication  is  deemed  successful. 

Performance 

The  researchers  tested  the  proposed  method  against  face  images.  After  1,216  genuine  and  183,616  imposter 
authentication  attempts,  they  achieved  -3.8%  FRR  at  -0.7%  FAR  where  ^  was  a  recommended  value  of  1 .  Its 
performance  can  be  linked  to  the  proposed  quantization  method,  which  is  what  distinguishes  this  method  from  other 
fuzzy  cryptosystems. 

Nandakumar  et  al.  (2007) 

Nandakumar  et  al.  wrote  this  article  in  reaction  to  growing  concerns  about  the  security  vulnerabilities  in  the  fuzzy 
cryptosystems,  namely  that  the  vault  sets  could  not  be  cancelled  and  were  susceptible  to  collusion  attacks.  They 
attempted  to  produce  cancelable  vault  sets  for  fingerprints  by  integrating  passwords  to  the  general  method  of  the 
fuzzy  cryptosystem.  The  method  is  similar  to  that  proposed  by  Teoh  et  al.  (2004)  in  that  it  authenticates  a  user  based 
on  who  they  are  and  what  they  have. 

Method 

During  enrollment  the  user  presents  a  password  and  a  fingerprint  image  from  which  a  feature  vector  (x,y,e)  is 
extracted,  where  (x,y)  are  the  minutiae  coordinates  and  e  is  the  angle  of  each  minutiae  point.  The  minutiae  points  are 
classified  according  to  their  location  in  each  quadrant  of  the  image.  Then  the  password  is  split  into  four  equally 
sized  units,  which  are  then  distributed  evenly  among  the  quadrants.  Each  password  unit  is  divided  into  three 
components  Tx,  Ty,  and  T^.  Txand  Ty  represent  the  amount  by  which  the  minutiae  will  be  translated,  and  T^ 
represents  the  degree  to  which  they  will  be  rotated.  The  new  minutiae  attributes  Q  x,  QV?  ?  and  Q'e,  are  derived  from 
the  addition  of  the  translations  values  and  the  original  values  modulo  the  appropriate  range,  such  that 

Q'x  =  (Qx  +  W  mod(2®-) 

Q'y  =  (<3y  +  Ty)  mod(2®>') 

Q'e  =  (Qe  +  Te)  mod(2^e^ 

Observe  that  a  change  in  the  password  would  affect  the  values  of  Qx ,  Qy ,  and  Q^'.  Thus  if  the  user  were  to  change 
his  or  her  password,  the  template  would  be  cancelled.  Next,  the  minutiae  points  are  encrypted  in  the  vault  set.  To 
construct  the  vault,  the  researchers  use  Lagrange  interpolation  and  cyclic  redundancy  checks  instead  of  the 
conventionally  used  Reed-Solomon  polynomial  reconstruction.  Each  minutiae  point,  represented  as  an  element  in 
the  Galois  field  GF(2^^),  is  quantized  into  binary  strings  Qx,  Qy,  and  Q^.  These  minutiae  points  form  a  genuine  set.  A 
large  set  of  chaff  points  is  combined  and  shuffled  with  the  genuine  set  to  form  the  vault  set. 

During  authentication,  the  user  presents  a  password  and  a  query  fingerprint  image.  Minutiae  from  the  query  image 
are  transformed  by  the  password  using  the  same  process  as  during  enrollment.  Helper  data  from  the  vault  set  and 
query  set  are  aligned  with  the  transformed  query  template  using  a  trimmed  iterative  closest  point  algorithm.  This 
singles  out  many  of  the  chaff  points  from  the  vault  set,  assuming  the  query  fingerprint  is  indeed  the  same  as  the 
enrolled  fingerprint.  The  researchers  claimed  that  the  helper  data  leaks  no  information  on  the  original  biometric, 
which,  if  valid,  poses  no  significant  security  threat. 

The  researchers  assumed  the  password  length  to  be  16-bits,  or  8  characters,  which  perfectly  aligned  with  the 
number  of  minutiae  points.  How  to  handle  a  variable-length  password  is  a  major  concern  for  the  usability  this  method. 

The  researchers  cite  D.  Chetverikov  et  al.,  2002,  “The  Trimmed  Iterative  Closest  Point  Algorithm,”  in  Proceedings 
of  the  international  Conference  on  Pattern  Recognition:  545-548. 
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Performance 


The  researchers  tested  their  approach  against  two  datasets  with  800  and  640  fingerprint  images.  Respectively  the 
results  yielded  10-19%  FRR  and  19.4-26.2%  FFR^^  at  0%  FAR  with  58-70  bits  of  security  including  the  password. 
FRR  increased  as  the  size  of  the  polynomial  increased.  Additionally,  they  found  the  vault  sets  to  be  more  uniformly 
distributed  than  the  original  template,  fortifying  them  against  attacks.  What  this  approach  gains  in  security  it  loses  in 
usability.  While  its  results  showed  that  it  can  reliably  protect  against  unauthorized  access,  it  may  reject  too  many 
genuine  users  to  be  considered  acceptable.  This  may  have  been  the  only  attempt  at  combining  fuzzy  cryptosystems 
with  multifactor  authentication,  and  the  results  do  not  bode  well  for  their  interplay. 

Nandakumar  and  Jain  (2008) 

Nandakumar  and  Jain  applied  fuzzy  cryptosystems  to  multimodal  templates  that  combined  fingerprint  minutiae  and 
IrisCodes.  The  proposed  method  transformed  both  feature  sets  into  a  common  format  and  fused  them  into  a  single 
vault  set  following  the  fuzzy  vault  scheme  proposed  by  Juels  and  Sudan  (2002).  The  setup  of  the  method  mirrored 
that  proposed  by  Nandakumar  et  al.  (2007)  in  that  biometric  features  were  represented  in  Galois  field  GF(2^^),  the 
key  size  was  set  to  16^  bits  where  n  was  the  degree  of  polynomial  P,  and  error  correction  was  achieved  through 
Lagrange  interpolation  and  CRC  instead  of  Reed-Solomon  codes. 

Method 

For  each  transaction  the  user  presents  a  fingerprint  and  an  iris.  Features  from  fingerprint  and  iris  images  were 
segmented  and  converted  to  a  common  format.  Upon  presenting  a  fingerprint,  the  coordinates  and  angles  of  the 
highest  quality  minutiae  points  were  extracted,  quantized,  and  concatenated  into  a  1 6-bit  number.  A  set  of  high 
curvature  points  was  also  extracted  and  stored  in  the  vault  to  aid  the  alignment  of  the  stored  template  with  the  query 
templates.  Upon  presenting  an  iris,  the  IrisCode  template  is  extracted  and  transformed  by  a  random  salt.  To  perform 
the  transform,  and  IrisCode  IT  is  split  into  r  distinct  components  .  Then  r  random  binary  vectors  .  .K^ 

are  generated.  A  BCH  encoder  is  applied  to  each  binary  vector  .  .KUesulting  in  the  codewords  H(K^). .  .H(K^). 
The  codewords  were  XORed  with  the  transformed  IrisCode  components  -nJil  such  that  any  given  component 

^  Thus  the  transformed  IrisCode  L  can  be  expressed  more  simply  as 


K  =  F^ilr,K^) 


where  Fi  is  the  salting  function  that  transforms  the  U  based  on  Ki. 

Nandakumar  and  Jain  considered  the  proposed  on  three  applications  of  multiple  biometrics:  (1)  where  the  template 
consisted  of  multiple  impressions  of  the  same  fingerprint;  (2)  where  the  template  consisted  of  multiple  fingerprints; 
and  (3)  where  the  template  consisted  of  multiple  modalities,  particularly  fingerprint  and  iris.  In  the  case  where 
multiple  fingerprint  impressions  were  to  be  stored  as  a  single  template,  they  used  a  “mosaicing”  technique. In  the 

case  where  multiple  fingerprints  are  to  be  stored,  the  union  of  all  the  minutiae  sets  formed  the  basis 

of  the  vault.  In  the  case  where  fingerprint  and  iris  features  were  to  be  stored,  the  vault  set  was  derived  from  the 
union  of  all  points  between  the  two  feature  sets  where  Hamming  distance  HD  >  2. 

Performance 

The  researchers  tested  the  proposed  method  using  multiple  fingerprint  templates  and  multimodal  templates.  The 
experiment  on  multiple  fingerprint  templates  achieved  10%  FRR^^  at  0.02%  FAR  and  2.5%  FTCR.  The  experiment 


FRR  calculated  from  reported  GAR. 

The  means  by  which  the  minutiae  points  were  processed  resembled  that  by  Nandakumar  et  al.  (2007). 

The  mosaicing  technique  was  adapted  from  A.  Ross,  S.  Shah,  and  J.  Shah,  “Image  Versus  Feature  Mosaicing:  A 
Case  Study  in  Fingerprints,”  in  Proceec//ngs  ofSPIE  Conference  on  Biometric  Technology  for  Human  Identification 
(6202),  (2006):  1-12. 

Calculated  from  90%  GAR. 
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on  fingerprint  and  iris  images  achieved  1.8%  FRR^^  at  0%  FAR  and  0%  FTCR,  and  it  produced  a  vault  key  size  of 
224  bits.  Feasibly  the  multimodal  test  could  meet  the  performance  target  of  1%  FRR  at  0%  FAR  with  some  tuning. 
These  results  suggest  that  multimodal  authentication  is  superior  to  multifactor  authentication  as  a  means  of 
augmenting  security  and  performance  in  fuzzy  cryptosystems. 

Qrencik  et  aL  (2008) 

Orencik  et  al.  proposed  a  variation  of  the  fuzzy  vault  scheme  by  Juels  and  Sudan  (2002)  that  was  designed  to  resist 
brute  force  attacks.  The  researchers  observed  that  genuine  points  could  be  distinguished  from  chaff  points  based  on 
the  distances  between  them  in  conventional  vault  sets.  The  proposed  method  entailed  a  more  sophisticated  means  of 
distributing  chaff  points  and  required  storage  of  multiple  chaff  polynomials,  a  novel  contribution  to  the  fuzzy 
cryptosystem. 

Method 

The  researchers  generated  chaff  points  such  that  each  one  was  at  least  t  Euclidian  distance  units  apart  from  a  genuine 
point  and  at  least  f  Euclidian  distance  units  apart  from  any  other  chaff  point.  The  threshold  t  is  set  according  to  the 
distribution  of  the  genuine  points,  but  the  researchers  did  not  formalize  a  method  for  selecting  this  threshold.  Figure 
1 5  compares  the  distribution  of  chaff  points  in  the  original  fuzzy  vault  scheme  by  Juels  and  Sudan  (2002)  and  the 
proposed  method,  where  t  =  18  and  t  -  8.  The  chaff  point  distribution  of  the  proposed  method  more  closely 
resembles  that  of  the  genuine  points,  such  that  an  attacker  cannot  easily  distinguish  the  genuine  points  from  chaff 
points. 


Figure  15:  Chaff  point  distribution  by  Juels  and  Sudan  (2002)  (L)  and  Oreneik  et  al.  (2008)  (R);  genuine  points  darkened  (2008: 
40). 

To  construct  the  chaff  polynomials,  first  generate  a  random  number  r  that  is  close  to  the  number  of  genuine  points  n. 
For  the  first  polynomial  elect  k-1  random  points  from  the  vault  set  and  one  random  point  from  a  pool  of  random 
chaff  points.  For  the  other  polynomials  select  k  random  points  from  the  vault  set,  find  the  polynomial  of  degree  k-1 
that  passes  through  the  selected  points,  and  add  the  polynomial  to  a  list  of  chaff  polynomials.  Verify  if  there  are  any 
other  points  in  the  vault  set  laying  on  the  polynomial.  Decrease  r  by  the  number  of  points  in  this  polynomial.  Select  r 
points  from  the  pool  of  chaff  points  and  evaluate  them  on  the  chaff  polynomial.  Place  the  resulting  values  in  the 
vault  set.  Repeat  this  process  until  pool  of  chaff  points  is  empty. 

Performance 

The  researchers  tested  the  proposed  method  against  360  fingerprint  images  under  two  attack  scenarios:  brute  force 
attacks  and  Reed  Solomon  decoding.  They  achieved  1.5%  FRR  at  0%  FAR  where  the  vault  size  was  300,  the 
threshold  t=18,  k=10,  n=15  on  average,  and  the  minimum  distance  between  chaff  points  was  8.  These  are  decent 
results  compared  to  other  variations  of  the  fuzzy  cryptosystem  reviewed  in  this  report.  They  found  that  it  was  faster 


Calculated  from  98.2%  GAR. 
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to  recover  the  secret  polynomial  from  the  vault  set  using  Reed  Solomon  decoding  when  the  number  of  chaff  points 
was  large.  The  researchers  were  able  to  hide  30  chaff  polynomials  in  the  vault  set  using  the  proposed  method.  They 
claimed  that  this  decreased  the  probability  of  recovering  the  secret  polynomial  by  brute  force  from  100%  to  3.3%. 

Nagar  et  al.  (2009) 

Nagar  et  al.  found  that  empirical  tests  on  fuzzy  cryptosystems  yielded  poorer  results  than  other  methods  because 
they  were  optimized  to  work  with  limited  fingerprint  information.  The  researchers  proposed  a  variation  of  the 
method  that  stored  minutiae  descriptors  in  the  vault  sets,  providing  more  detailed  information  on  a  fingerprint  than 
just  the  coordinates  of  its  minutiae  points  including  the  frequency  and  orientation  of  the  ridges  around  each  minutiae 
point.  The  protected  template  was  a  nested  vault  set,  in  which  the  abscissa  values  of  the  minutiae  points  were  stored 
in  one  vault  set  and  the  ordinate  values  were  stored  in  a  another  vault  set. 

Method 

During  enrollment  a  16-bit  cyclic  redundancy  check  code  is  appended  to  a  16n-bit  key  K  and  divided  into  (n+1) 
blocks  of  1 6  bits  each.  The  blocks  served  as  the  coefficients  of  a  secret  polynomial  p(x)  of  degree  n  represented  in 
Galois  field  GF(2^^).  Minutiae  points  are  selected  from  the  template  based  on  their  quality  and  separation  from  one 
another,  as  done  by  Nandakumar  et  al.  (2007)  The  coordinates  and  angles  of  the  quality  minutiae  points,  along  with 
a  large  number  of  randomly  generated  chaff  points,  are  stored  in  the  vault  set  V. 

The  researchers  used  minutiae  descriptors  to  encrypt  the  ordinate  values^^  of  the  minutiae  points.  The  ordinate 
value  for  each  minutiae  point  was  used  to  obtain  a  codeword  C  from  an  error  correction  code.  The  design  of  the 
proposed  method  requires  that  the  minutiae  descriptors  be  represented  in  binary  format.  The  binarization  process 
consists  of  four  stages:  (1)  estimating  the  missing  values  based  on  nearest  neighbors;  (2)  reducing  the  dimensionality 
of  the  descriptor;  (3)  encoding  Gray  codes;  and  (4)  selecting  the  discriminable  bits.  The  secure  ordinate  value 

^  ®  along  with  the  abscissa  values,  are  stored  in  the  dataset  as  helper  data.  Descriptors  for  the  chaff 

points  are  randomly  chosen  from  the  set  of  all  descriptors  in  the  dataset.  One  might  consider  this  to  be  a 
vulnerability  whereby  an  attacker  could  analyze  the  occurrence  of  chaff  point  descriptors  to  distinguish  genuine 
points  from  chaff  points.  Such  an  attack  would  seem  especially  plausible  on  a  small  scale  dataset  where  the  diversity 
of  the  minutiae  descriptors  is  limited. 

During  authentication,  the  user  presents  a  fingerprint  image  which  is  aligned  with  one  or  more  templates  using  high 
curvature  points  as  described  in  Nandakumar  et  al.  (2007).  The  quality  minutiae  points  are  selected  from  the  query 
fingerprint  and  matched  with  points  in  the  vault  set  in  order  to  filter  out  most  of  the  chaff  points.  Minutiae 
descriptors  are  extracted  from  the  fingerprint  and  binarized.  The  descriptor  is  XORed  with  each  selected  query 
minutiae  and  its  ordinate  value  to  obtain  a  codeword  C',  which  is  decoded  to  obtains  a  representation  of  the  ordinate 
value.  If  the  ordinate  value  is  correctly  decoded  for  (n+1)  genuine  points  in  the  vault,  the  polynomial  p(x)  is 
correctly  reconstructed  and  the  query  is  validated. 

Performance 

The  researchers  tested  the  proposed  method  against  100  fingerprint  images  from  the  FVC2002  DB2  dataset, 
conducting  100  genuine  comparisons  and  9900  imposter  comparisons.  Results  yielded  5%  FRR  at  0.01%  FAR 
where  the  polynomial  degree  n=6.  FRR  rose  abruptly  where  the  polynomial  degree  n>9.  They  also  tested  the  method 
using  principal  components  analysis  to  reduce  the  dimensionality  of  the  descriptors.  This  scenario  yielded  higher 
false  acceptance  rates  than  when  principal  components  analysis  was  not  used. 

Alvarez  et  al.  (2009) 

Alvarez  et  al.  were  among  the  few  researchers  to  implement  the  fuzzy  extractor  method  proposed  by  Dodis  et  al. 


In  a  coordinate  y  represents  the  ordinate. 

The  researchers  adopt  the  methodology  proposed  by  J.  Feng,  2008,  “Combining  Minutiae  Descriptors  for 
Fingerprint  Matching,”  in  Pattern  Recognition  41(1):  342-352. 
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(2008).  The  proposed  method  is  resistant  to  collusion  attacks  because  the  biometric  input  is  not  used  in  the  creation 
of  the  polynomial;  instead  the  coordinates  of  the  minutiae  points  are  salted  by  a  secret  key  that  is  unique  across 
applications  and  can  be  reissued  in  the  event  that  the  template  is  compromised. 

Method 

During  enrollment,  the  user  presents  an  iris  image  and  a  predefined  secret  key  ^  represented  in  a  given  base.^^ 
Helper  data  from  the  iris  image  is  stored  in  the  dataset.  The  coefficients  of  the  polynomial  of  degree  ^  are 
derived  from  bits  of  the  secret  key  ^  ~  ^  such  that 

Then  ^  random  points  are  computed  such  that  3^  =  ^  J  0  S  f  S  n  —  1  where  ^  is  a  parameter  that  controls 
the  tolerance  of  the  templates.  The  value  of  ^  should  be  much  greater  than  ^  .  Reed-Solomon  encoding 
concatenates  the  coordinates  of  the  points  forming  a  codeword  set  ^  ^  A  hash 

function  obfuscates  the  codeword  set  ^  producing  a  set  of  hash  values 

Then  the  iris  template  ^  is  divided  into  parts  ^  1 1  'ii.l  LI  —  "  1}  .  Each  value  ^  ^  in  — 1 

is  subtracted  from  each  codeword  of  the  set^  ,  producing  in  the  delta  set  ^  in  which  each  element 
&i  =  -  iif,  0  S  f  £  n  -  1  such  that 

C'Q  j  1  111  j  j,^ 

Stored  in  the  dataset  are  the  hash  set-^  ,  the  delta  set^i,  and  control  parameters  necessary  for  authentication,  which 
include:  the  polynomial  degree ,  the  Reed-Solomon  parameters^^j  nHS^^i  the  hash  function  used,  and  the  base 
in  which  ^  is  represented. 

During  authentication,  the  user  presents  a  query  iris  image  and  secret  key.  The  query  template  ^  is  divided  into  ^ 
parts  such  that  ^  I  ^  1 1  -"I  I  1 J  .  The  elements  of  ^  and  the  stored  delta  set  A  are  used  to 

compute  the  codeword  setC  =  Sai  fi/  —  >  i-C'n-iJ .  The  elements  of  ^  are  hashed  using  the  stored  hash  function, 

and  the  hashed  elements  of  ^  are  compared  against  those  stored  in  the  dataset.  If  at  least  is  "h  1  values  coincide,  the 
template  is  considered  a  match.  But  the  secret  key  also  must  be  verified  before  authenticating  the  user.  A  Reed- 
Solomon  decoding  algorithm  obtains  at  least  ^  +  1  points  Lagrange  interpolation  obtains  the  coefficients 

of  the  secret  polynomial  If  the  polynomial  is  successfully  reconstructed,  the  secret  ^  would  be  revealed  and 

the  user  would  be  authenticated. 


Performance 

The  researchers  tested  the  proposed  method  against  175  iris  images  using  an  algorithm  they  developed  in  Java.  They 
achieved  11.1%  ERR  at  0.67%  FAR,  where  the  base  of  is  5 12,  the  polynomial  degree  ,  and  ?ii  =  81 . 

These  results  are  not  acceptable  for  most  practical  applications,  and  they  are  particularly  unsatisfactory  given  that 
iris  applications  typically  yield  lower  error  rates.  But  the  fuzzy  extractor  method  has  been  observed  little  in  practice, 
and  the  method  ought  to  endure  more  rigorous  experimentation  using  various  combinations  of  parameters  and 
inputs. 

Merkle  et  aL  (2010) 


Base  10,  16,  256,  512,  etc. 
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Merkle  et  al.  published  this  paper  in  reaction  to  the  concern  that  variations  of  the  fuzzy  vault  scheme  produced 
templates  with  no  more  than  50  bits  of  entropy  when  applied  to  fingerprint  biometrics.  The  researchers  pursued  the 
suggestion  of  those  who  made  that  claim,  which  was  to  buttress  the  fuzzy  fingerprint  vault  method  using  multiple 
fingerprints.  The  proposed  method  naturally  follows  that  of  Nandakumar  and  Jain  (2008)  who  also  applied  the  fuzzy 
vault  scheme  to  encrypt  singular  representations  of  multiple  fingerprint  impressions. 

Method 

Upon  presenting  a  fingerprint  image,  features  are  extracted  in  the  form  of  a  vector  i  which  respectively 

indicates  the  minutiae  coordinates  and  the  index  of  the  fingerprint  from  which  the  minutiae  point  originated.  The 
researchers  claimed  it  would  be  too  taxing  for  the  system  to  distinguish  genuine  points  from  chaff  points  were  the 
vector  to  include  information  on  the  minutiae  angles;  therefore  they  did  not  store  angle  data  in  the  vector.  The 
researchers  optimized  feature  extraction  in  several  ways.  One  novel  optimization  was  to  restrict  the  selection  of 
genuine  and  chaff  points  to  those  within  a  confined  area.^^  Optimizations  developed  from  prior  studies  include  the 
exclusion  of  unreliable  minutiae  for  the  feature  vector  during  enrollment,  the  enforcement  of  a  minimum  distance 
between  genuine  and  chaff  points,  and  the  enforcement  of  a  minimum  number  of  minutiae  points  per  finger.  And 
they  pre-aligned  the  fingerprints  and  the  threshold  for  rotation.  The  feature  vectors  of  ah  fingerprints  captured  by  the 
acquisition  device  were  stored  in  the  same  set  rather  than  in  separate  sets.  Doing  so  exponentially  increased  its 
resistance  to  brute  force  attacks.  However  the  researchers  observed  that  the  proposed  method  might  be  vulnerable 
to  brute  force  attacks  than  other  variants  of  the  fuzzy  cryptosystem  because  an  attacker  can  verify  when  a 
polynomial  is  recovered  using  the  hashed  value  of  the  secret  coefficients,  thereby  enhancing  the  efficiency  of  an 
attack.  Unlike  the  original  fuzzy  vault  scheme  by  Juels  and  Sudan  (2002),  the  proposed  method  evaluated  the  secret 
polynomial  according  to  the  minutiae  indexes  rather  than  the  actual  biometric  data.^^ 

During  authentication,  the  user  submits  a  query  fingerprint  image.  The  image  is  prealigned  and  a  vector  of  quality 
minutiae  points  is  extracted  from  the  aligned  image.  The  feature  vector  is  matched  against  one  or  more  templates  in 
the  dataset.  A  Reed-Solomon  decoder,  specifically  the  Peterson-Berlekamp-Massey  decoder  used  by  Juels  and 

^  ^  rf)/ 

Sudan  (2002),  is  used  to  recover  the  secret  polynomial,  which  will  be  recovered  only  if  there  are  at  least  ^  2 

matching  points  between  the  query  template  and  the  genuine  points  in  the  vault  set.  The  correctness  of  the 
polynomial  is  compared  against  the  hash  value  of  the  true  polynomial  stored  in  the  dataset. 

Performance^^ 

Merkle  et  al.  tested  the  proposed  method  against  864  fingerprints.  They  tested  a  control  group  without  any  chaff 
points,  and  the  results  were  optimal  at  89%  FRR  where  ^  =  7  ,  Using  this  as  a  benchmark,  they  increased  the 
minutiae  quality  value  Q  over  several  iterations.  Where  ?  =  Oil  the  false  and  genuine  match  rates  remained 
nearly  unchanged,  but  where  ?  ■  0.2  the  false  match  rate  rose  by  30%.  Therefore  the  most  practical  results  offered 
by  the  proposed  method  are  approximately  1%  FRR  where  ^  and  ?  =  0-1  .  Enforcing  a  minimum  number  of 
minutiae  per  finger  increased  match  rate  by  up  to  3%  and  reduced  enrollment  rate  by  up  to  7%,  with  at  least  9 
minutiae  per  finger  being  the  optimal.  Their  prealignment  method  omitted  all  poor  quality  fingerprints  at  the 
expense  of  20%  false  positives,  whereas  without  prealignment  omitted  86%  poor  quality  images  at  the  expense  of 
35%  false  positives.  As  the  value  of  the  tolerance  parameter  rose,  false  match  rates  rose  significantly  while  false 
non-match  rates  bore  no  significant  change. 

4.4  Homomorphic  Encryption 

See  P.  Mihailescu,  A.  Munk  and  B.  Tams,  2009,  “The  Fuzzy  Vaults  for  Fingerprints  is  Vulnerable  to  Brute  Force 
Attack,”  in  BIOSIG  2009:  Biometrics  and  Electronic  Signatures:  43-54. 

Such  that  an  area  M  I  -  fl,  I  2£  (,&,  by  .  This  was  found  to  be  the  most  commonly  plotted  area 

from  a  sample  of  5.8  million  minutiae  points.  See  p.  3. 

See  pp.  4-5  for  more  information  on  quality  filtering  optimizations. 

To  store  each  feature  vector  in  its  own  set  and  concatenate  the  sets  would  result  only  in  a  linear  increase  of 
entropy.  An  exponential  increase  is  significant. 

See  pp.  5-6  for  more  information  on  encoding  the  secret  polynomial  including  pseudocode  for  the  enrollment  stage. 

Based  on  their  empirical  results,  the  researchers  offer  a  list  of  recommended  parameter  values  on  p.  11. 
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An  encryption  method  is  homomorphic  if  the  structure  of  the  ciphertext  is  preserved  in  the  encryption  of  the 
plaintext.  Homomorphism  has  a  “malleable”  property,  meaning  that  the  ciphertext  can  be  converted  into  another 
ciphertext  that  also  reverts  to  the  original  plaintext.  Homomorphic  encryption  can  be  used  to  calculate  the  similarity 
between  an  input  templates  and  stored  templates  in  the  encrypted  domain,  preventing  servers  from  extracting 
sensitive  information  from  a  query.  Many  of  the  proposed  homomorphic  encryption  methods  make  use  of  existing 
cryptosystems  proposed  by  Paillier,  Goldwasser-Micali,  and  ElGamal,  all  of  which  are  semantically  secure 
protocols.  Homomorphic  encryption  may  be  applied  to  one  step  in  the  template  protection  processes.  This  section  of 
the  report  reviews  methods  in  which  homomorphic  encryption  protocols  are  the  primary  means  for  protecting 
biometric  templates. 

4.4.1  Method 

Paillier 

Variations  of  the  Paillier  cryptosystem  are  additively  homomorphic,  meaning  that  the  ciphertext  is  equal  to  the  sum 
of  two  plaintexts  (xi,  X2)  such  that 


a(xi)-a(x2)=a(xi,x2  mod  m) 


The  encryption  of  a  plaintext  ^  is  expressed 

a(x)=g’‘r”  mod 

where  m  is  the  modulus  g  with  a  block  size  r. 

Goldwasser-Micali 

Variations  of  the  Goldwasser-Micali  cryptosystem  are  multiplicatively  homomorphic,  meaning  that  the  ciphertext  is 
equal  to  the  product  of  two  bits  (bi,  b2)  such  that 

e{b{)-e{b^)  =  e{b^@b^) 


ElGamal 

Variations  of  the  ElGamal  cryptosystem  are  multiplicatively  homomorphic,  meaning  that  the  ciphertext  is  equal  to 
the  product  of  two  plaintexts  (xi,  X2)  such  that 

6(Xi)-£(X2)  =  •X2) 


4.4.2  Vulnerabilities 

The  malleable  property  of  homomorphic  encryption  allows  someone  with  access  to  a  ciphertext  to  modify  its 
contents  and  produce  a  new  plaintext.  Theoretically  this  would  allow  an  attacker  with  access  to  a  dataset  of  secured 
templates  to  modify  the  contents  such  that  it  would  resemble  the  attacker  instead  of  the  genuine  owner. 

Nagar  et  al.  (2006)  suggested  the  application  of  a  homomorphism  to  obfuscate  the  helper  data  used  to  unlock  vault 
sets  in  fuzzy  cryptosystems.^^ 

4.4.3  Performance 

There  have  been  few  empirical  tests  on  template  protection  methods  using  homomorphic  encryption.  But 
verification  rates  are  impressive  in  the  few  tests  that  have  been  conducted.  Ye  et  al.  (2009)  achieved  the  best  results 


See  Nagar,  Abhishek,  Karthik  Nandakumar  and  A.  K.  Jain,  “Biometric  Template  Security,”  SP/E:  3. 
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using  homomorphic  encryption  but  did  not  meet  the  performance  target  of  1%  FRR  at  0.1%  FAR.  The  protected 
templates  matched  or  exceeded  the  minimum  length  necessary  for  use  as  cryptographic  keys  in  common  security 
protocols  like  AES.  Bami  et  al.  (2010)  proposed  a  method  that  was  able  to  identify  an  80-bit  template  from  a  dataset 
of  100  templates  in  45.58  seconds.  Huang  et  al.  (201 1)  proposed  a  method  that  improved  that  speed  by  almost  five 
times. 

4.4.4  Articles 


Barbosa  et  al.  (2008) 

Barbosa  et  al.  proposed  a  parametric  key  generation  method  that  borrowed  the  encryption  and  decryption  algorithms 
from  the  Paillier  cryptosystem.^^  The  researchers  adapted  the  work  of  Bringer  et  al."^^  to  develop  a  set  of 
identification  classifiers.  The  proposed  method  does  not  expose  identities  in  the  process  of  authentication  or 
identification,  upholding  the  privacy  of  the  user  in  distributed  authentication  systems  like  those  on  the  Internet.  They 
claimed  their  method  delivered  more  accurate  results  even  among  behavioral  modalities.  They  criticized  fuzzy 
cryptosystems  and  other  methods  based  on  error  correction  codes  for  their  poor  performance  and  their  ability  to 
secure  data  against  anything  except  eavesdropping  attacks.  The  researchers  did  not  test  their  method  empirically. 

Method 


The  proposed  method  assumes  that  the  acquisition  device  is  capable  of  processing  the  biometric  image  into  a  binary 
string  and  performing  cryptographic  operations  on  the  string.  The  system  initializes  by  generating  a  secret  key  using 
the  key  generation  algorithm  from  the  Paillier  cryptosystem.  Given  a  security  parameter  1^  the  algorithm  generates 
the  following:  n=pq  where  p  and  q  are  two  large  random  prime  numbers;  ^  —  1,  ij  —  !)■•  ^nd  a  random 

integer  #  ®  .It  follows  that  the  multiplicative  inverse  p  exists,  such  that 


= 


^  ^  m  od  n  ^  ^  mo  d 


n 


hence  the  public  key  ke=(n,g)  and  the  secret  key  k^=([i,X).  For  each  transaction  the  user  submits  a  query  from  which 
biometric  features  are  extracted  in  the  form  of  a  vector  v=(vi. .  .v^).  The  features  are  classified  according  to  the 
public  parameters  and  the  profile  information,  returning  a  set  of  classification  values.  The  classification  algorithm,  a 
“support  vector  machine,”  uses  homomorphic  encryption  to  compute  the  classification  values,  such  that 


pat-ami 


where  SVij  contain  vectors  that  define  the  inner  and  outer  hyperplane  in  a  k-dimensional  feature  space,  and  K  is  a 
function  that  projects  data  onto  a  higher  dimensional  space  and  computes  the  scalar  product.  The  encryption 
algorithm  produces  a  ciphertext  c=g”^-r^  mod  n^  where  m  is  a  plaintext  message,  r  is  a  random  integer,  and  n  and  g 
are  derived  from  the  public  key  ke=(n,g).  The  ciphertext  is  shuffled  into  a  random  vector  to  be  stored  in  the  dataset. 
During  authentication,  the  system  decrypts  the  elements  of  the  shuffled  ciphertext.  The  decryption  algorithm  outputs 
a  plaintext  m=L(c}i  mod  n^  )-p  mod  n  where  p  and  X  are  derived  from  the  secret  key  kd=(p,^). 


Ye  et  al.  (2009) 


Ye  et  al.  designed  a  biometric  authentication  protocol  that  preserved  the  anonymity  of  the  authenticating  user.  They 
pursued  three  goals.  Firstly,  they  sought  to  build  a  system  that  never  revealed  the  identity  of  the  user  to  the  system. 


See  Pascal  Paillier,  1999,  “Public-Key  Cryptosystem  Based  on  Composite  Degree  Residuosity  Classes,”  in  Lecture 
Notes  in  Computer  Science  1592:  223-238. 

Bringer,  J.  et  al.,  2007,  “An  Application  of  the  Goldwasser-Micali  Cryptosystem  to  Biometric  Authentication,”  in 
Lecture  Notes  in  Computer  Science  4586:  96-106. 

See  K.  Crammer  and  Y.  Singer,  2001 ,  “On  the  Algorithmic  Implementation  of  Multiclass  Kernel-Based  Vector 
Machines,”  in  Journal  of  Machine  Learning  Research  2:  265-292. 
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Methods  in  prior  research  often  encrypted  the  templates  after  each  transaction  but  exposed  the  owner  of  the  template 
at  some  point  in  the  transaction  process.  Secondly,  like  prior  researchers,  they  sought  to  build  a  system  that 
withstood  intraclass  variability.  And  thirdly,  they  sought  to  construct  a  scalable  system  that  would  perform  well  in 
environments  with  large  datasets,  while  controlling  the  tradeoff  between  security  and  performance.  Their  solution  to 
the  complexity  issue  was  to  keep  an  authenticating  user  anonymous  only  to  k  but  not  the  entire  dataset,  where  k  is  a 
parameter  of  anonymity.  The  proposed  method  was  similar  to  the  k-anonymity  model  by  Sweeny.  The  proposed 
method  optimized  the  dissimilarity  among  members  of  the  same  k-member  cluster.  The  researchers  mentioned  the 
possibility  of  designing  a  template  protection  method  based  on  secure  multiparty  computation,  but  they  opted  for 
homomorphic  encryption  due  to  its  allegedly  superior  efficiency. 

Method 

The  proposed  system  consists  of  three  devices:  a  server,  a  dataset,  and  a  biometric  acquisition  device.  These  devices 
are  used  in  three  high  level  procedures.  In  the  first  procedure,  triggered  by  an  enrollment  request,  the  server 
preprocesses  the  image  by  way  of  k- Anonymous  Quantization.  The  resulting  quantization  table  will  be  used  to 
narrow  the  scope  of  future  queries  from  the  entire  dataset  to  a  group  of  likely  candidates  called  a  “k-member 
cluster,”  which  was  designed  to  boost  the  speed  of  identification.  The  server  stores  the  quantization  table  in  a 
publicly  available  dataset.  In  the  second  procedure,  triggered  by  an  authentication  request,  indexes  from  the  dataset 
are  selected  in  a  secure  fashion.  In  the  final  procedure,  distance  measurements  between  a  query  template  and  one  or 
more  protected  templates  are  conducted  in  the  encrypted  domain. 

During  enrollment  the  user  presents  an  iris  image  x.  The  researchers  use  the  Paillier  homomorphic  encryption 
scheme  to  derive  the  public  key  from  the  input  x  such  that 

£’nCpk(x)  =  [(1  +  N)x  •  r^mod  N^] 

where  N  is  the  product  of  two  secret  primes  and  r  is  a  random  number. 

During  authentication,  the  user  submits  a  public  key  and  an  iris  image.  A  modified  Hamming  distance  algorithm 
measures  the  dissimilarity  between  the  query  iris  pattern  and  one  or  more  stored  iris  patterns  in  the  encrypted 
domain.  The  distance  between  the  query  iris  and  one  or  more  secure  templates  is  calculated  in  the  encrypted 
domain. 

Performance^^ 

The  researchers  tested  the  proposed  access  control  system  against  1,948  iris  images  from  the  CASIA  dataset.  It  took 
1 1.5  hours  to  encrypt  and  match  10,000  iris  images,  or  about  4.15  seconds  per  image,  from  the  dataset  on  a  machine 
with  a  2.4  GHz  CPU  and  2  GB  RAM.  They  achieved  ~4%  FRR  -^0%  FAR. 

Rane  et  al.  (2009) 

Rane  et  al.  designed  a  homomorphic  cryptosystem  for  securing  fingerprint  templates  and  computing  the  Hamming 
distance  or  Euclidian  distance  between  templates  in  the  encrypted  domain.  The  researchers  adopted  the  Paillier 
encryption  protocol.  They  did  not  test  the  accuracy  of  the  proposed  method. 

Method 

For  each  transaction,  the  user  presents  a  fingerprint  from  which  a  binary  feature  vector  x^  is  extracted.  The  query 
will  be  compared  against  a  protected  template  y^  stored  on  the  dataset.  The  researchers  adopted  the  Paillier 
cryptosystem  is  used  to  encrypt  and  decrypt  the  template  information  prior  to  computing  the  distance  metrics,  such 
that 


See  L.  Sweeny,  “/c-Anonymity:  A  Model  for  Protecting  Privacy,”  International  Journal  of  Uncertainty,  Fuzziness  and 
Knowledge-Based  Systems,  10(50),  557-570,  2002. 

See  p.  4  for  a  description  of  their  modification. 

Results  are  discussed  in  great  detail  on  pp.  12-15. 
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*  r^mod(iV^) 


where  r  is  a  randomly  generated  number,  p  and  q  are  large  prime  numbers,  N=p'q,  and  g  is  a  number  selected  such 
that  gcd(L(g®  mod  (N^))N)=1.  A  public  key  is  defined  as  (N,g)  and  a  private  key  is  defined  as  (p,q).  The  client 
encrypts  the  query  fingerprint  Xi  into  in  (xi)  using  the  above  protocol.  The  encrypted  results  are  transferred  to  the 
server.  The  server  then  computes  the  following: 


yi  =  —  2yi  mod  (A) 

/  ri  \  " 

^  2Xiyi  j  =  Y\  ^ri(-2xiyi)  mod(N^) 

V  i=l  /  i=l 


n  TL 

C  ■  -  T  TV  ■  rir^ 

S  and  T.i 


where  imi  and  Tmi  .  The  result  ■ff  }  is  .  This  computation  is  executed  in  the 

encrypted  domain,  so  the  server  has  no  knowledge  of  ^  or  .  The  server  then  generates  a  random  number  ^  and 
computes 


irf(B+C)=i,b(B)v(C)mod(N^) 


where  rd=rbrcmod(N).  The  results  are  transferred  to  the  client.  The  client  then  generates  a  random  number  ra  and 
computes 


^dix^.y^))  =  +  B  +  C)  =  +  O  mod(N^) 


where  S  is  the  binary  Hamming  distance,  ^  ^  i  .1  and  i-i  .  That  value  of  ^  is 

unknown  to  Alice.  The  squared  Euclidian  distance  can  be  expressed  as 


n  ft 

dCx^.y-)  =  +  y^  -  2jr,y,)  =  A  +  B  +  C 


Decryption  is  computed  such  that 


L(c^  mod(/V^)) 


m  mod(/V  ) 


where  ^  =  Icmfe?  -  1,  if  -  1>  and  . 

Barni  et  al.  (2010) 

Bami  et  al.  proposed  a  homomorphic  cryptosystem  that  facilitated  the  matching  of  fingerprint  templates  in  the 
encrypted  domain. 


Method 
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At  a  high  level,  the  proposed  encryption  method  consists  of  three  stages.  In  the  first  stage,  the  image  is  captured  and 
processed  into  a  template.  For  each  transaction  the  user  presents  a  fingerprint  image  to  an  acquisition  device,  and 
features  are  extracted  from  the  query  image  to  obtain  a  template  whose  structure  reflects  that  proposed  by  Jain  et  al 
(2000).^^  In  the  second  stage,  the  template  is  quantized.  Both  the  first  and  second  stages  significantly  influence  the 
verification  performance  of  the  system.  In  the  third  stage,  the  quantized  template  is  encrypted  with  a  public-key  on 
the  server  using  a  homomorphic  cryptosystem.  Matching  occurs  in  the  encrypted  domain. 

The  proposed  encryption  protocol,  which  is  executed  in  the  third  stage  of  the  method,  incorporates  elements  of  the 
Paillier  protocol  and  the  ElGamal  protocol  using  elliptic  curves  to  preserve  bandwidth.  The  distances  between  the 
quantized  query  vector  and  the  vectors  in  the  dataset  are  computed  in  the  encrypted  domain  using  these  two 
cryptosystems."^^  If  simply  accepting  or  rejecting  the  user  based,  the  servers  computes 


ifli 


i=l 


where  ^  is  a  random  integer.  The  user  will  be  rejected  if  |[R]]=0. 


Performance 


The  researchers  tested  the  proposed  method  against  408  fingerprint  images.  The  results  yielded  6.5%  EER.  At  the 
configuration  necessary  to  achieve  this  level  of  accuracy,  they  were  able  to  identify  80-bit  templates  in  a  dataset  of 
100  templates  in  45.58  seconds  at  a  quantization  step  of  4.  Computations  were  conducted  on  machines  with  2.4  GHz 
processors  and  4GB  RAM. 


Huang  et  al.  (2011) 

Huang  et  al.  proposed  an  encryption  method  that  they  claimed  was  computationally  efficient.  The  proposed  method 
uses  homomorphic  encryption,  oblivious  transfer,  and  garbled  circuits. 


Method 


47 


OJ 

D 


Figure  16:  System  overview  (2011:  3) 


See  A.  K.  Jain,  S.  Prabhakar,  L.  Hong,  and  S.  Pankanti,  2000,  “Filterbank-based  fingerprint  matching,”  IEEE 
Transactions  on  Image  Processing,  vol.  9:  846-859. 

The  protocol  is  discussed  in  Mauro  Barni,  2010,  “Privacy-Preserving  Fingercode  Authentication,”  in  12^^  ACM 
Multimedia  and  Security  Workshop. 

Source  code  for  the  software  is  freely  available  at  http://www.miqhtbeevil.orq/secure-biometrics/ 
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At  a  high  level  the  proposed  protocol  consists  of  three  stages.  First  is  to  securely  measure  the  Euclidian  distance 
between  the  query  and  storage  templates.  Second  is  to  securely  match  the  encrypted  templates.  The  third  stage  is  to 
obliviously  transfer  the  match  results.  To  preprocess  the  images,  the  researchers  used  the  filterbank  approach 
proposed  by  Bazen  et  al.  (2000).^^ 

The  Euclidian  distance  measurement  protocol  is  based  on  an  additively  homomorphic  encryption  scheme.  The 
server  inputs  a  vector  matrix  [vijJmxn  and  the  client  inputs  a  single  feature  vector  [v  q. .  .v^n]*  The  distance  di  between 
the  stored  vector  Vi  and  the  query  v’  is  expressed  verbosely  as 


resulting  in  a  distance  vector  d={di,d2. .  ..,dM}.  The  server  transfers  the  data  to  the  client  using  a  garbled  circuit 
protocol.  It  begins  with  knowledge  of  the  distance  measurements  d  and  generates  a  set  of  nonce  masks 
r=[ri,r2,. .  .,rM]  and  then  sends  the  client 


Is:'.  ||...  E  +  t^2||  ...  -t- 

where  pk  is  the  client’s  public  key.  The  sampling  range  of  should  be  large  enough  that  d'i  and  di  are  statistically 
indistinguishable.  A  backtracking  protocol  is  used  to  transfer  the  match  results.  The  protocol  ensures  that  the  server 
gains  no  knowledge  of  the  data  and  the  client  gains  nothing  other  than  the  data  associated  with  the  closest  match. 


Performance 


The  researchers  tested  the  computational  efficiency  of  their  method.  They  claimed  the  method  performed  with  4.6 
times  the  speed  and  58%  of  the  bandwidth  of  the  method  proposed  by  Bami  et  al.  (2010).  The  tests  were  conducted 
on  similar  machines,  with  2.0  GHz  processors  and  4GB  RAM.  Distance  measurement  accounts  for  a  majority  of  the 
processing  time,  and  circuit  garbling  accounts  for  a  majority  of  the  bandwidth.  They  did  not  test  the  verification 
performance  of  their  protocol. 

Further  Reading 

Huang,  Yan  et  al.  2011.  “Efficient  Privacy-Preserving  Biometric  Identification.”  18^^  Network  and  Distributed 
System  Security  Symposium,  http://www.mightbeevil.org/secure-biometrics/ndss-talk.pdf 


See  A.  Bazen,  G.  Verwaaijen,  S.  Gerez,  L.  Veelenturf,  and  B.  van  Der  Zwaag,  2000,  “A  Correlation-Based 
Fingerprint  Verification  System,”  in  ProRISC2000  Workshop  on  Circuits,  Systems  and  Signal  Processing. 
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4.5  Local  Aggregation 


Local  aggregation  is  a  means  of  extracting  features  from  a  biometric  input  by  counting  the  number  of  features  that 
appeared  within  the  confines  of  many  randomly  generated  regions  superimposed  the  input.  Figure  17  illustrates  this 

concept,  where  each  element  in  the  set  contains  the 
number  of  features  found  in  one  of  the  randomly 
superimposed  regions.  Regions  are  generated 
according  to  a  secret  key  that  is  unique  to  every  user. 
This  implies  that  each  user  has  a  unique  but 
repeatable  pattern  of  random  regions.  If  someone 
were  to  present  a  stolen  image  without  its 
corresponding  key,  features  would  be  counted 
incorrectly  and  the  imposter  would  be  invalidated. 

Templates  produced  by  this  method  can  be  cancelled 
by  reenrolling  the  biometric  with  a  different  key, 
resulting  in  a  new  pattern  of  random  regions.  The 
method  is  considerably  tolerant  to  intraclass 
variations  because  it  checks  only  for  the  presence  of 
Figure  17:  Local  aggregation  methods  generate  features  within  wide  regions.  Intraclass  variations 

sets  based  on  minutiae  in  each  random  region  due  to  minor  rotation,  translation,  and  warping  are 

not  likely  to  push  the  features  outside  the  boundaries  of  the  regions  as  long  as  the  input  is  aligned.  Cryptographic 
keys  are  computed  from  metrics  like  the  number  of  minutiae  points  within  each  region,  which  are  easier  to 
reproduce  in  subsequent  transactions  than  the  exact  coordinates  and  angles  of  the  minutiae  points.  Overall  this 
method  possesses  the  advantage  of  computational  simplicity.  Furthermore,  because  this  approach  does  not  transform 
the  biometric  features,  it  avoids  producing  inadvertent  errors  due  to  arbitrarily  or  unreliably  designed  transform 
functions. 


4.5.1  Articles 
Sutcu  et  al.  (2008) 

Sutcu  et  al.  applied  the  Slepian-Wolf  error  correction  framework  to  encrypt  fingerprint  templates. The  proposed 
method  counts  the  number  of  minutiae  points  from  multiple,  randomly  placed  regions  of  the  fingerprint  template  to 
generate  binary  feature  vectors  appropriate  for  low-density  parity  check  (LDPC)  syndrome  coding,  a  belief 
propagation  algorithm. 

Method 

At  a  high  level,  three  steps  constitute  the  enrollment  and  authentication  stage.  First,  a  feature  map  is  extracted  from 
an  acquired  fingerprint  image.  Second,  a  transform  function  maps  the  minutiae  points  to  a  binary  feature  vector. 
Finally,  a  syndrome  encoding  function  maps  the  binary  feature  vector  into  a  secure  syndrome.  The  dataset  stores  the 
secure  syndrome,  the  LDPC  code,  and  a  cryptographic  hash  of  the  binary  feature  vector. 


See  D.  Slepian  and  J.K.  Wolf,  1973,  “Noiseless  Coding  of  Correlated  Information  Sources,”  in  IEEE  Transactions 
on  Information  Theory:  471-480. 

See  Robert  G.  Gallager,  1963,  “Low-Density  Parity-Check  Codes.” 
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For  each  transaction  the  user  presents  a  fingerprint  image  from  which  a  feature  vector  M=(xi,yi,ei)  is  extracted  where 
Xi,yi  ,ei  respectively  indicate  the  coordinates  and  angle  of  the  minutiae  points.  The  number  of  minutiae  points  is 

counted  within  multiple  cuboidal  regions  randomly 
superimposed  on  the  feature  vector.  Figure  16  illustrates  the 
manner  in  which  the  regions  are  superimposed.  If  the  number 
of  minutiae  points  within  a  given  region  is  less  or  greater  than 
a  predefined  threshold,  a  bit  value  of  0  or  1  is  respectively 
appended  to  the  feature  vector.  In  an  enrollment  transaction,  a 
Slepian-Wolf  encoder  generates  a  syndrome  from  the  feature 
vector  and  stores  the  syndrome  in  a  dataset.  In  an 
authentication  transaction,  the  LDPC  decoder  combines  the 
secure  template  s  and  the  query  template  b  and  applies  belief 
propagation.  The  result  is  a  an  estimate  ^  of  the  enrolled 
feature  vector  a.  Access  is  granted  to  the  user  if  the  hash 
values  of  ^  and  a  match. 

Figure  18:  Example  of  a  randomly  plaeed  euboidal 
region  eontaining  seven  minutiae  points  (2008:  4). 


Performance 

The  researchers  tested  the  proposed  method  against  1,035  prealigned  minutiae  maps  from  69  fingerprints.  They 
achieved  as  low  as  11%  FRR  at  0.01%  FAR,  meeting  at  2.7%  EER.  At  this  level  of  accuracy  the  protected  template 
possessed  30  bits  of  security.  Its  accuracy  is  owed  in  large  part  to  the  prealignment  of  the  fingerprint  template. 

Jin  et  al.  (2009) 

Jin  et  al.  produced  cancelable  fingerprint  templates  by  counting  the  number  of  minutiae  points  within  randomly 
generated  regions  superimposed  on  the  acquired  image.  They  claimed  the  method  was  resistant  to  minor  intraclass 
variations  due  to  translation  and  rotation.  The  proposed  method  required  no  prealignment  of  the  images  because  the 
minutiae  are  projected  onto  a  two  dimensional  space  according  to  reference  minutiae. 

Method 

Minutiae  points  Mi=(xi,yi,ei)  are  extracted  where  Xi  ,yi,ei  respectively  indicate  the  coordinates  and  angle  of  the 
minutiae  points.  One  minutiae  point  M^.  is  selected  as  a  reference  point  by  which  all  other  minutiae  points  will  be 
translated  such  that 
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where  W  and  H  are  the  width  and  height  of  the  image.  This  translation  centers  the  minutiae  points  around  the 
reference  point,  which  ultimately  allows  the  proposed  scheme  to  tolerate  intraclass  variations.  The  number  of 
minutiae  points  within  the  confines  of  each  random  region  is  stored  on  a  vector.  The  researchers  used  triangular 
regions  to  preserve  computational  simplicity.  They  surmised  that  other  shapes  were  unlikely  to  enhance  entropy  or 
matching  accuracy;  rather  they  found  that  error  rates  could  be  reduced  simply  by  increasing  the  number  of  regions. 

The  server  assigns  a  unique,  secret  key  to  every  user  during  enrollment.  The  key  is  a  set  of  random  numbers  that 
determines  the  shape  and  location  of  several  triangular  regions  to  be  superimposed  on  the  image.  In  the  event  that  a 
template  is  compromised,  the  key  can  be  reissued  to  cancel  the  compromised  template  and  enroll  a  new  one.  Within 
each  triangular  region,  the  number  of  minutiae  points  falling  within  an  angular  range  is  recorded  to  a  vector.  Figure 
17  illustrates  this  concept,  where  the  number  of  minutiae  points  is  counted  per  angular  range  within  a  superimposed 
region.  The  feature  vectors  for  multiple  random  regions  are  concatenated  into  a  bit  string. 
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Figure  19:  Bit  string  as  function  of  minutiae  points  per  angular  range  per  random  region  (2009:  526) 


Performance 


The  researchers  tested  their  method  against  800  fingerprint  images,  using  VeriFinger  Standard  SDK  to  extract  the 
minutiae  coordinates.  They  achieved  2.81%  HER  where  10  random  triangles  were  used  and  0.20%  EER  where  20 
random  triangles  were  used.  In  the  proposed  method,  the  principal  tradeoff  for  security  was  computational  time,  not 
matching  accuracy.  The  researchers  briefly  mentioned  that  in  a  stolen-token  scenario,  EER  can  increase  to  more 
than  10%.  The  security  of  this  method  as  it  pertains  to  stolen  tokens  should  be  evaluated.  This  method  is 
computationally  simple  compared  to  others  reviewed  in  this  report. 

Nagar  et  aL  (2010) 

Nagar  et  al.  proposed  a  method  to  secure  fingerprint  templates  following  the  methodology  of  Sutcu  et  al.  (2008). 
They  extended  the  method  to  extract  both  the  minutiae  points  and  the  fingerprint  ridges. 

Method 

For  each  transaction,  the  user  presents  a  fingerprint  image  from  which  a  feature  vector  is  extracted  as  shown  in 
Figure  20.  If  the  algorithm  is  developed  to  extract  minutiae  points,  the  feature  vector  will  consists  of  xi,yi  ,ei  which 
respectively  indicate  the  coordinates  and  angle  of  the  minutiae  points.  If  developed  to  extract  fingerprint  ridges,  the 
feature  vector  will  consist  of  xi,yi  which  represent  the  coordinates  of  the  ridges.  Geometric  regions  are  randomly 
superimposed  on  the  feature  vector  and  the  number  of  minutiae  points  or  fingerprint  ridges  is  counted  in  each 
region.  Figure  20  illustrates  this  concept.  For  each  region,  three  measurements  are  recorded  when  selecting  minutiae 
points:  (1)  the  sum  of  the  closest  distance  of  each  minutiae  point  from  the  regional  boundaries;  (2)  the  average 
coordinate  of  all  the  minutiae  present  in  the  region;  and  (3)  the  standard  deviation  of  the  minutiae  coordinates 
present  in  the  region.  If  the  number  of  features  is  less  or  greater  than  predefined  median  thresholds  for  these  values, 
then  a  respective  bit  value  of  0  or  1  is  appended  to  the  binary  feature  vector.  The  binary  feature  vector  is  curated 
such  that  only  the  most  reliable  bits  are  extracted.  The  bits  are  altered  by  a  low  density  parity  check,  and  the  final 
output,  a  secure  syndrome,  is  stored  in  the  dataset. 
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Performance 


The  researchers  tested  their  method  against  800 
fingerprint  images  from  the  FVC2002  Dataset-2, 
generating  500  random  cuboidal  regions  per  finger. 
They  achieved  as  low  2%  HER  under  normal 
circumstances,  when  an  imposter  has  now  knowledge 
of  the  template.  Results  fell  to  3%EER  when  an 
imposter  has  knowledge  of  discriminable  feature  bits, 
and  were  worst  at  10.2%  EER  when  the  imposter  had 
knowledge  of  the  aggregate  wall  distance.  These  results 
suggest  that  the  method  is  robust  against  attacks 
whereby  an  attacker  has  knowledge  of  some,  but  not 
all,  of  the  template  information.  These  results  signify  a 
slight  increase  in  accuracy  compared  to  Sutcu  et  al. 
(2008),  although  this  could  be  due  in  part  to  the 
prealignment  of  the  fingerprint  images. 

4.6  Multifactor  Key  Generation 

Multifactor  key  generation  combines  a  biometric  with  one  or  more  other  inputs,  such  as  a  password  or  token,  to 
produce  cryptographic  keys.  This  approach  is  essentially  a  form  of  salting,  whereby  the  user  supplies  secret 
auxiliary  information  that  that  influences  the  transformation  of  the  biometric  image  or  template.  Combining 
biometrics  with  other  authentication  factors  has  proven  to  be  a  reliable  means  of  generating  secure  templates  or 
cryptographic  keys. 

From  a  security  perspective,  this  method  is  advantageous  because  it  combines  something  that  the  user  is  with 
something  that  the  user  has  or  knows.  The  principal  tradeoff  for  security  in  multifactor  key  generation  protocols  is 
usability,  not  necessarily  verification  performance.  Access  control  systems  that  use  multifactor  key  generation  could 
easily  become  a  hassle  to  users  who  forgot  their  password  or  token.  Furthermore,  the  need  to  present  multiple  inputs 
during  authentication  is  impractical  for  applications  like  security  checkpoints. 

4.6.1  Vulnerabilities 

Stolen  Token 

Theoretically  the  security  of  the  encrypted  template  is  no  greater  than  that  of  least  secure  authentication  factor, 
assuming  that  any  authentication  factor  can  stolen  and  used  by  an  imposter.  Kong  et  al.  (2010)  criticized  the  method 
by  Teoh  et  al.  (2004),  known  for  having  achieved  0%  EER,  in  which  biometric  inputs  are  irreversibly  transformed 
by  tokenized  random  numbers.  The  critics  argued  that  the  method  lost  any  practical  security  when  the  token  was 
stolen,  thereby  rendering  the  token  redundant.  Teoh  et  al.  (2004)  introduced  multispace  random  projections  as  a 
means  to  harden  the  original  method  against  stolen  token  attacks. 

4.6.2  Performance 

Empirical  results  on  multifactor  key  generation  have  produced  mostly  good  results.  It  has  been  tested  on  fingerprint, 
iris,  face,  voice,  keystroke  and  multimodal  biometrics.  Teoh  et  al.  (2004)  reported  perfect  match  rates  from  their 
experiment  on  fingerprint  hashing,  though  they  produced  inconsistent  results  in  subsequent  studies.  Some 
researchers  argued  that  the  high  performance  of  schemes  combining  biometrics  with  a  stored  or  known  input  were 
owed  entirely  to  that  second  input;  and  therefore  it  was  redundant  to  include  biometrics  in  the  key  generation 
process. 


Figure  20:  Example  of  loeal  aggregation  from  randomly 
superimposed  regions. 


From  Abhishek  Nagar,  Shantanu  Rane  and  Anthony  Vetro,  2010,  “Privacy  and  Security  of  Features  Extracted  from 
Minutiae  Aggregates,”  Mitsubishi  Electric  Research  Laboratories. 
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4.6.3 


Articles 


Monrose  et  al.  (2001a) 

Monrose  et  al.  proposed  a  multifactor  key  generation  protocol  that  analyzed  the  keystroke  dynamics  of  users  as  they 
typed  passwords.  If  the  keystroke  pattern  did  not  match  the  pattern  recorded  during  enrollment,  the  system  would 
not  authenticate  the  user  even  if  the  password  was  correct.  The  proposed  method  adapts  to  changes  in  the  typing 
pattern  of  a  user  over  time. 

Method 


Each  user  account  stores  two  data  structures:  (1)  an  instruction  table  containing  (i,aai,aai)  for  each  feature  (j)i  (a,l)  that 


controls  how  the  algorithm  will  harden  the  password  using  the  biometric  features;  and  (2)  a  symmetrically  encrypted 
history  file  that  contains  measurements  on  all  features  recorded  over  some  number  of  successful  logins.  For  each 


feature  (^i  (a,l)  the  login  program  uses  ”pwd”'  to  decrypt  or  dai  such  that 


_  { 

l(2i  +  • 


Swd'(20  ^  mod  q)  if  0(a,  0  < 

Swd'(2i  +  1)"^  mod  q)  if0(a,  0  <  ti 


where  i?  is  a  large  prime  number, G  is  a  pseudorandom  function  family. This  creates  m  points  {(xi,yi)  }  <  i  <m. 
The  login  program,  then  decrypts  the  history  with  an  algorithm  hwpd'  such  that 

m 

hwpd'  =  ^  Ti  •  rnod  Q 

i  =  l 

where  Ci  is  the  Lagrange  coefficient  for  interpolation,  expressed  as 


n 


If  the  hardened  password  decrypts  the  history  file,  the  history  file  is  updated  to  include  the  keystroke  dynamics  of 
the  current  login  attempt  and  computes  the  standard  deviation  of  all  keystroke  dynamics  contained  in  the  file.  The 
researchers  measured  the  duration  of  keystrokes  and  the  latency  between  keystrokes  in  their  implementation.  They 
designed  two  variations  of  the  proposed  system:  one  used  exponentiation^"^  and  the  other  used  vector  spaces.  These 
variations  addressed  several  security  vulnerabilities  observed  in  the  foundational  approach  described  above. 

Performance 

The  researchers  tested  their  method  against  188  authentication  attempts  on  a  program  that  associated  users’ 
keystroke  dynamics  with  their  passwords.  The  results  yielded  48.4%  ERR  where  ~12  distinguishing  features  were 
recorded  and  22.9%  ERR  where  ~7  distinguishing  features  were  recorded.  This  approach  has  an  advantage  of 


160  bits  is  sufficient,  p.  3. 

See  R.  L.  Rivest,  “Cryptography,”  Handbook  of  Theoretical  Computer  Science,  pp.  717-755. 
See  pp.  5-6  for  details  on  the  variation  using  exponentiation. 

See  pp.  6-7  for  details  on  the  variation  using  vector  spaces. 
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usability  compared  to  other  multifactor  schemes  like  BioHash  because  the  user  does  not  have  to  supply  two  forms  of 
information;  for  the  biometric  data  is  acquired  automatically  upon  typing  the  password.  However,  due  to  its 
reportedly  high  error  rates,  it  is  likely  that  a  legitimate  user  must  input  their  password  multiple  times  before  the 
system  authenticates  them.  The  entropy  of  the  hardened  password  depends  on  the  entropy  of  the  input  password  and 
the  number  of  distinguishing  characteristics  parameterized  in  the  keystroke  analysis  algorithm. 


Monrose  et  al.  (2001b) 

Monrose  et  al.  built  upon  their  multifactor  key  generation  scheme  whereby  a  password  is  hardened  by  biometric  data 
acquired  during  enrollment.  They  had  applied  their  scheme  to  the  keystroke  biometrics,  which  meant  that  the  input 
password  consisted  of  an  unambiguous  sequence  of  characters.  In  this  paper,  the  researchers  attempted  to  apply  their 
method  to  vocal  biometrics.  This  presented  a  new  challenge.  Unlike  passwords,  vocal  utterances  vary  for  each 
transaction.  Therefore  the  encryption  of  vocal  characteristics  was  more  complicated  than  merely  running  the  input 
through  a  hash  function.  The  authors  were  not  satisfied  by  merely  hashing  a  password  extracted  from  by  automatic 
speech  recognition.  Instead  the  proposed  method  attempted  to  recognize  how  a  user  uttered  the  password,  storing  the 
vocal  features  in  a  protected  set.  This  allowed  the  system  to  verify  identities  based  on  vocal  characteristics. 

Method 

During  enrollment,  the  user  utters  a  phrase  and  the  vocal  sample  is  segmented  into  30-ms  frames.  Each  frame 
corresponds  to  one  component  sound  of  the  utterance.  Silent  frames  are  discarded.  The  segments  are  then  mapped 
onto  a  set  of  features.  An  m-bit  feature  descriptor  is  derived  from  the  segmented  features.  The  researchers  described 
three  algorithms  for  extracting  features  but  only  reported  on  one  that  depended  on  the  position  relative  to  a  plan 
through  the  centroid.  The  algorithm  allowed  them  to  produce  46-bit  keys  from  two-second  utterances.  The  algorithm 
can  be  expressed  as 


0  if  a  •  -  c(Ri)  <  0 

1  if  a  •  (fi(Ri  -  c(Ri)  >  0 


where  a  is  a  fixed  vector,  i(Ri)  is  a  vector  of  the  average  values  of  the  segment  frames,  c(Rj)  is  the  centroid,  and  b(i) 
represents  the  position  of  i(Ri)  relative  to  the  plane  a-x=0  translated  to  a  coordinated  space  whose  origin  is  c(Ri).  The 
resulting  feature  descriptor  is  a  bit  string. 

Performance 


The  researchers  tested  the  proposed  method  against  250  utterances.  The  proposed  method  achieved  <  5%  ERR 
where  k=1.875  and  v=0.25,  and  <  30%  ERR  where  k=1.250  and  k=0.95.  In  general,  the  number  false  rejects 
increased  as  k  decreased  and  as  v  increased.  It  may  be  noted  that  telephones  were  used  to  acquire  the  biometric 
samples  to  the  detriment  of  matching  performance.  Like  their  previous  method,  this  multifactor  key  generation 
scheme  has  the  advantage  of  usability.  Both  the  password  and  the  biometric  are  acquired  in  the  same  action. 

Teoh  et  al.  (2004) 

Teoh  et  al.  hypothesized  that  a  multifactor  key  generation  method  that  integrated  biometrics  with  known  inputs 
would  safeguard  the  privacy  of  biometric  data  without  significantly  decreasing  verification  performance.  They 
argued  in  favor  of  combining  biometric  data  with  a  tokenized  random  number  rather  than  a  password  which  is  more 
susceptible  to  theft,  to  generate  or  match  an  encrypted  biometric  template.  Guided  by  this  hypothesis  the  researchers 
developed  an  encryption  method  called  “BioHash,”  wherein  fingerprint  minutiae  and  a  tokenized  random  number 
both  influence  the  generation  of  a  cryptographic  key.  The  proposed  method  remains  one  of  the  top  performers  in 
terms  of  error  rates  relative  to  other  empirical  test  results  reviewed  in  this  report. 

Method 


The  proposed  method  involves  two  general  steps:  first  to  segment  the  biometric  features,  then  to  hash  the  features 
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using  the  tokenized  random  number  as  an  influencing  parameter.  The  researchers  applied  an  integrated  wavelet 
transform  and  a  Fourier-Mellin  transform  to  segment  the  fingerprint  minutiae.  Then  they  aligned  the  images  to 
achieve  a  common  size,  angle,  and  position.  The  resulting  feature  data  was  altered  by  a  quantization  process, 
which  consist  of  four  steps: 


1 .  Derive  a  pseudorandom  number  {q  G  |  i=l,. .  .,m}  from  the  token. 

2.  Apply  the  Gram-Schmidt  process  to  transform  the  pseudorandom  number  into  an  orthonomal  set  of 


matrices  {riG  R^  |  i=l,...,m}. 


3.  Compute  {(A|ri  G  R^)|  i  =  l,...,m}. 


4.  Compute  m-bit  BioHash  such  that 


bi  = 


0  if{r\n)<T 
1  if(r|ri)  >T 


where  t  is  a  predefined  threshold.  This  quantization  process  distinguishes  the  BioHash  method  from  other  template 
protection  methods.  Upon  executing  the  wavelet  transforms  and  discretization  algorithm,  the  end  product  is  a 
template  that  cannot  feasibly  be  reverse  engineered  without  presenting  both  the  biometric  image  and  tokenized 
random  number. 


Performance 

The  researchers  tested  the  proposed  method  against  600  fingerprint  images,  conducting  29,700  imposter  attempts 
and  1,500  genuine  attempts.  They  claimed  to  have  achieved  0%  EER  where  the  bit  length  of  the  template  was  equal 
to  or  greater  than  40.  The  results  implied  that  the  approach  is  reliably  error-tolerant  and  perhaps  the  most  robust  of 
all  those  reviewed  in  this  report.  But  they  were  contested  by  several  academics.  Cheung  et  al.  (2005)  could  not 
reproduce  high  quality  match  rates  using  the  proposed  transform  method,  feature  extraction  method,  and  similarity 
measure.  Kong  et  al.  (2006)  argued  that  0%  EER  was  owed  entirely  to  the  tokenized  random  number;  therefore  to 
integrate  biometrics  with  a  token  would  be  redundant  as  the  token  alone  sufficed  as  the  perfect  password.  Having 
tested  the  method  in  a  stolen-token  scenario,  the  critics  observed  it  to  distinguish  genuine  and  imposter  users  very 
poorly. 

In  defence  of  their  methodology,  Teoh  et  al.  (2007)  published  the  match  rates  of  their  method  in  stolen-token  and 
stolen-biometrics  scenarios  using  two  different  feature  extraction  methods.  In  the  stolen-biometrics  scenario,  they 
achieved  2.1 1%  EER  and  0%  EER  respectively;  whereas  in  the  stolen-token  scenario  they  achieved  26.79%  EER 
and  21.53%  EER.  BioHash  and  its  variants  thus  remain  vulnerable  to  imposters  who  wield  stolen  tokens.  The 
researchers  proposed  a  multistage  approach  to  their  method  that  enhanced  the  matching  performance  in  the  event  of 
a  stolen  token. 

Hao  et  aL  (2006) 

Hao  et  al.  proposed  a  method  for  encrypting  iris  images  in  such  a  way  that  produced  error- free  keys  despite  the 


See  pp.  2248-9  for  a  detailed  example  of  the  transforms  used. 
See  pp.  2040-2. 
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typical  10-20%  error  bits  found  in  iris  codes.  They  hypothesized  that  correcting  errors  in  biometric  data  using  Reed- 
Solomon  and  Hadamard  codes  prior  to  matching  would  improve  performance  without  sacrificing  security. 

Method 

The  proposed  method,  as  shown  in  Figure  21,  encompasses  two  aspects:  an  error-correction  code  that  combines 
Reed-Solomon  and  Hadamard  codes,  and  multifactor  key  generation  using  an  auxiliary  secret,  e.g.  a  password.  The 
Reed-Solomon  code  corrects  errors  in  the  input  image  at  the  block  level,  and  then  the  Hadamard  code  corrects  errors 
at  the  binary  level.  An  XOR  operation  between  the  binary  string  Cps  a  reference  iris  code  e^ef  produces  an  encrypted 
template  eiock  to  be  saved  on  a  smartcard  or  other  token,  defined  as 


^lock  ^ps©  ^ref 


To  decrypt  the  key,  an  XOR  operation  between  an  input  image  and  the  encrypted  template  is  executed  such  that 

^  ps  ~  ^lock  ©  ^sani 
=  9ps  @  e 


where  ^  is  the  error  vector  between  two  iris  codes.  Error  correction  recovers  the  trial  value  of  the  biometric  key 

and  a  match  exists  where  ^  is  within  the  correction  capability  k  =  k  ^  which  is  verified  by  comparing  the  hash 
values. 


Figure  21:  Schematic  overview  of  the  proposed  system  (2006:  8). 

Performance 


K 


The  researchers  tested  the  proposed  method  against  700  iris  images.  Where  block  length  was  equal  to  six,  they 
achieved  0%  FAR  and  0.47%  FRR  from  241,300  imposter  comparisons  and  3,150  genuine  comparisons.  These 
among  the  best  results  of  the  studies  reviewed  in  this  report.  They  noted  that  the  Hadamard  code  caused  a  tradeoff 
between  error  tolerance  and  key  length.  Thus  while  they  achieved  an  even  lower  false  rejection  rate  where  the  block 
length  equaled  seven,  the  loss  in  entropy  made  the  key  less  than  optimal. 

Ballard  et  aL  (2008) 

Ballard  et  al.  observed  a  tendency  for  some  biometric  modalities  to  produce  highly  entropic  keys.^^  The  objective  of 
their  research  was  to  create  highly  entropic  keys  regardless  of  the  modality.  They  proposed  a  multifactor  key 
generation  method  that  augmented  the  entropy  of  the  key. 


See,  e.g.  Monrose  et  al.  (2001a)  and 
Monrose  et  al.  (2001b). 
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Method 


59 


Two  algorithms  constitute  the  method:  enrollment  and  key  generation.  During  enrollment,  the  user  presents  a 
biometric  B  and  a  password.  Having  extracted  the  features  from  the  input,  their  statistical  characteristics  are 
calculated  and  an  index  of  each  feature  is  stored  in  a  table.  Error  correction  codes  quantize  the  range  of  the  feature 
into  partitions  of  a  length  equal  to  the  quantization  width  of  the  map  from  theset  of  biometric  samples 


mod  5; 


Si 

if  Hi>j 

if  iXi<  — 
2 


where  i  is  the  median  of  each  feature  (t)(ai ), 


,(t)(ai).  The  key  is  derived  from  a  random  oracle  applied  to  the 


password,  the  feature  indexes,  and  the  lower  boundaries  of  the  partition  that  contains  the  output  of  each  feature.  The 
feature  data  and  quantized  outputs  are  encoded  into  secure  template.  The  template  T  consists  of  the  encrypted 
feature  set  C  and  token  v  such  that 

T  =  Ce,T)  =  CCCiO,  . CjCn  - 13  Clinic  I  Jl  - 1  1)  33 

where  K  is  a  cryptographic  key  and  5  is  an  optional  password  serving  as  an  extra  source  of  randomness.  During 
authentication,  the  user  submits  a  query  biometric  and  password  with  which  the  key  generation  algorithm  will 
attempt  to  decrypt  the  stored  template.  If  the  key  matches  the  token  in  the  stored  template,  the  algorithm  can  recreate 
the  list  of  feature  indexes  and  quantization  offsets.  The  system  can  only  return  a  match  if  the  key  generation 
algorithm  quantizes  the  output  range  of  the  features  in  the  same  way  the  enrollment  algorithm  does. 

Performance 

The  research  tested  the  proposed  method  against  human  forgers  and  the  concatenative  synthesis  generative 
algorithm. Respectively,  they  achieved  as  low  as  17.7%  EER  against  human  forgers  and  27%  EER  against  the  CS 
algorithm.  Such  results  suggest  that  the  method  is  not  suitable  for  practical  applications. 

Kanade  et  al.  (2010) 

Kanade  et  al.  proposed  a  method  for  encrypting  multimodal  biometric  templates  whose  keys  possessed  greater 
entropy  than  those  produced  in  previous  methods.  As  such  their  study  is  similar  in  its  objectives  and  methodology  to 
that  of  Merkle  et  al.  (2010). 

Method 

The  researchers  used  two  layers  of  error  correction  in  the  enrollment  phase.  First  they  used  Reed-Solomon  codes, 
then  Hadamard  and  BCH  encoding  for  modality-specific  error  correction.  They  gave  a  higher  weight  to  error 
correction  for  iris  images  because  they  have  shown  to  produce  fewer  errors  than  fingerprint  images.  The  output  of 
the  Reed-Solomon  error  correction  is  salted  by  a  user  specific  secret.  This  salt  serves  as  the  cancelable  property  in 
the  proposed  method.  The  salted,  error  corrected  output  is  then  divided  into  two  parts:  one  to  be  encoded  by  a 
Hadamard  code,  the  other  by  a  BCH  code.  Those  outputs  were  concatenated  and  finally  XORed  with  the 
concatenated  uniform  zero  insertion  values  of  the  reference  iris  code  and  face  code.  During  authentication,  a  query 
iris  image  undergoes  uniform  zero  insertion  and  is  concatenated  with  the  face  image  input.  This  value  is  XORed 


Pseudocode  for  the  enrollment  and  key  generation  algorithms  are  shown  on  p.  5. 

For  details  on  concatenative  synthesis,  see  L.  Ballard,  S.  Kamara  and  M.  K.  Reiter,  2006,  “The  Practical  Subtleties 
of  Biometric  Key  Generation,”  in  Proceedings  of  the  lf'^  Annual  USENIX  Security  Symposium:  29-41 . 
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with  the  encrypted  template,  and  the  result  is  divided  into  two  parts:  one  to  one  to  be  decoded  by  a  Hadamard  code, 
the  other  by  a  BCH  code.  The  concatenated  value  must  be  “un-shuffled”  by  a  password  supplied  by  the  user,  and  the 
resultant  value  will  be  decoded  by  Reed-Solomon  codes.  If  successful,  the  result  is  a  regenerated  key.  Figure  22 
illustrates  the  overall  workflow  of  the  proposed  method. 
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Figure  22:  Schematic  diagram  of  multifactor  key  generation  enrollment  and  verification  modules 


Performance 


Having  tested  the  proposed  method  against  380,625  imposter  comparisons  and  1,750  genuine  comparisons,  the 
researchers  were  able  to  produce  210-bit  keys  at  0.91%  FRR  and  0%  FAR  and  168-bit  keys  at  0.1 1%  FRR  and  0% 
FAR.  With  a  combined  high  level  of  entropy  and  low  level  of  error  puts,  these  results  showed  that  the  method 
effectively  mitigated  the  tradeoff  between  template  security  and  matching  performance.  These  results  suggested  that 
a  multimodal  approach  could  effectively  mitigate  the  tradeoff  between  template  security  and  matching  performance. 
Emerging  now  is  a  persuasive  correlation  between  the  quality  of  these  results  and  those  of  the  multifactor 
approaches.  It  suggests  that  the  encryption  of  any  single  biometric  may  not  be  enough  to  produce  reliably  secure 
and  competent  templates  in  many  cases. 

4.7  Noninvertible  Transforms 


Noninvertible  transforms  are  a  generic  means  of  obfuscating  biometric  template  data  by  way  geometric 
transformation.  Transforms  are  executed  either  at  the  single  domain  or  the  feature  domain.  The  literature  has  favored 
feature  domain  transforms,  which  alter  features  such  as  the  position  of  the  minutiae  coordinates.  By  contrast,  single 
domain  transforms  alter  the  pixels  of  the  raw  image. 

Figure  23  illustrates  the  manner  in  which  minutiae  points  are  repositioned  by  a  feature  domain  geometric  transform. 
The  dots  indicate  the  position  and  angle  of  fingerprint  minutiae.  Observe  how  they  are  repositioned  after  a  Gaussian 
transform.  Any  template  protection  method  could  employ  a  noninvertible  transform  as  one  of  several  means  of 
obfuscating  the  template  data.  Typically  the  parameters  which  influence  the  transform  are  used  as  the  cancelable 
property  in  a  protected  template.  For  additional  security,  these  parameters  can  be  derived  from  a  user-supplied  input 
such  as  a  password  or  a  private  key.  The  methods  reviewed  in  this  section  use  noninvertible  transforms  as  the 
principal  means  of  template  protection. 


See  Monrose  et  al.  2001;  Teoh  et  al.  2004;  Hao  et  al.  2006;  Nandakumar  et  al.  2007;  Ouda  et  al.  2010. 
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Figure  23:  Example  of  a  noninvertible  transform  (Nagar,  Nandakumar  and  Jain  2006:  2). 


4.7.1  Performance 

It  is  difficult  to  compare  the  performance  of  methods  that  employ  noninvertible  transforms  because  the  methods  and 
transforms  vary  significantly.  Hirata  and  Takahashi  (2009)  achieved  extremely  low  error  rates  using  correlation 
invariant  random  filtering.  But  no  other  transform-based  method  met  the  target  of  1%  ERR  at  0%  FAR,  and  many 
yielded  double-digit  error  rates.  Therefore  this  report  will  avoid  making  a  blanket  assessment  of  the  performance  of 
noninvertible  transforms. 

4.7.2  Articles 
Soutar  et  al.  (1999) 

Soutar  et  al.  reviewed  an  algorithm  they  developed  at  Mytec  Technologies,  Inc.,^^  in  which  fingerprint  data 
fundamentally  influenced  the  makeup  of  a  private  key.  The  algorithm,  simply  called  Biometric  Encryption, 
processed  the  entire  image,  not  just  the  feature  data,  in  the  production  and  retrieval  of  a  key.  Their  goal  was  to 
produce  128-bit  keys,  which  could  be  used  in  common  encryption  standards  like  AES.  They  used  a  correlation  filter 
function  H(u)  to  measure  the  degree  of  similarity  between  input  and  reference  images. This,  they  claimed,  helped 
to  surmount  the  problem  of  intraclass  variations  but  did  not  bolster  the  entropy  of  the  key.  They  referred  to  the 
encrypted  template  as  a  Bioscrypt. 

Method 

At  a  high  level,  the  user  presents  multiple  fingerprint  images  to  be  transformed  and  linked  with  a  cryptographic  key 
during  enrollment.  An  identification  code  is  then  stored  in  a  lookup  table.  During  authentication,  the  acquired  image 
is  again  transformed.  A  key  is  retrieved  from  the  lookup  table,  and  the  two  identification  codes  are  compared. 

Two  filters  process  the  images:  a  filter  hmction  H(u)  and  a  transitory  filter.  The  filter  hmction  is  defined  as 

Ao(u)R(u) 

H(u)  = - ,  = 

aP(u)  +  yjl  -oc^  Z)o(u) 


Mytec  Technologies,  Inc.  has  since  been  acquired  by  L-1  Identity  Solutions. 

See  J.  W.  Goodman,  1968,  “Introduction  to  Fourier  Optics”;  A.  VanderLugt,  1992,  “Optical  Signal  Processing”;  and 
E.  G.  Steward,  1995,  “Fourier  Optics:  An  Introduction.” 
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where  ^  is  the  spatial  frequency  domain,  Ao  (u)  and  Ro  (u)  is  an  array  of  random  numbers. 

During  enrollment,  the  user  presents  T  fingerprint  images  to  train  the  system.  Fourier  transforms  are  performed  on 
each  image  to  compute  Ao  (u)  and  Do  (u).  An  array  of  random  numbers  R(u)  is  generated.  The  filter  function  H(u)  is 
responsible  for  ensuring  low  intraclass  variance  and  high  interclass  variance.  It  produces  an  output  pattern  Co  (x)  that 
is  linked  with  an  N-bit  key  ko.  In  this  linking  process,  Co  (x)  is  binarized  and  a  lookup  table  is  created  and  stored  in 
the  Bioscrypt  to  be  used  in  key  retrieval  during  authentication.  Finally  ko  encrypts  data  from  H” stored”  (u)  to  be 
hashed  and  stored  as  an  identification  code  ido  in  the  Bioscrypt.  Thus  the  Bioscrypt  consists  of  a  lookup  table,  ido, 
and  Hstored  (^)* 


During  authentication,  the  user  presents  T  fingerprint  images  to  be  processed  as  in  enrollment.  Using  Hstored  (u)  from 
the  Bioscrypt,  an  output  pattern  Ci  (x)  is  generated  to  be  used  in  retrieving  the  N-bit  cryptographic  key. 

Implications 

This  approach  was  tested  on  fingerprint  images.  The  researchers  noted  that  it  could  be  applied  to  any  modality  as 
long  as  the  data  is  represented  as  a  two-dimensional  array,  like  an  image.  Their  method  would  eventually  be 
implemented  in  the  first  commercial  biometric  template  protection  product  called  Bioscrypt.  The  method  is  more 
complex  than  many  of  the  methods  developed  in  successive  research.  Many  critical  details  must  be  overlooked  in 
summarizing  it.  Considering  this,  the  method  may  be  more  expensive  for  systems  to  compute. 

Ang  et  al.  (2005) 

Ang  et  al.  designed  a  method  for  producing  cancelable  fingerprint  templates.  They  applied  a  key-dependent 
geometric  transform  to  the  extracted  features.  Cancelling  a  template  is  a  matter  of  changing  the  key  used  in  the 
transform. 


Method 


During  enrollment,  the  user  presents  a  fingerprint  from  which  a  feature  vector  is  extracted.  Interested  only  in  the 
design  of  the  cancelable  transform,  the  researchers  preprocessed  the  image  and  extracted  the  features  using 

VeriFinger  SDK.  For  each  minutiae  point  Mi  a  vector  is  built  with 
the  coordinates  (xi,yi ),  angle  cpi,  type  ti,  and  local  feature  vector 
Fi=(dij,0j,(pij,nij,tj)  for  each  neighbor  minutiae  point  Mj  where  dij 
is  the  distance  between  Mi  and  a  neighbor  Mj,  nij  is  the  distance 
between  their  ridges,  0ij  is  the  angle  between  their  ridges.  Figure 
24  illustrates  the  proposed  feature  vector  when  the  number  of 
neighboring  minutiae  points  L=2. 

During  verification,  the  user  submits  a  query  fingerprint  from 
which  a  feature  vector  R  is  extracted,  following  the  same  model  as 

in  enrollment.  The  query  vector  is  compared  against  the  stored 

0/1  T-i-  1  1  ^  ^  vector  using  a  similarity  function  Si  (i,j)  where 

Figure  24:  Diagram  ot  the  loeal  feature  veetor  ®  i  v 

where  L=2  (2005:  246 


The  researchers  suggested  4  to  6  images  to  train  the  system  sufficiently. 

They  encrypted  this  data  because  it  was  unique  to  each  user  and  present  at  both  enrollment  and  authentication. 
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Slii.j)  = 


Lp 

0 


if  W.\FT-Ff\<tp 
if  W.\FT-Ff\>tp 


and  where 


is  a  weight  vector  for  each  eiement  of  Fj®®  Ultimateiy  the  matching  score  Ms  is  expressed  as 


Ms 


100 


T-ijSgji.j) 

max{M,  N} 


The  user  is  authenticated  if  Mg  is  higher  than  a  given  threshold  Tp,the  suggested  value  of  which  was  tp=6(5L+l) 

Performance 

The  researchers  tested  the  proposed  transform  algorithm  and  matching  algorithm  against  800  images  of  10  unique 
fingerprints,  using  the  NIST  Fingerprint  Image  Software  to  identify  core  points  and  extract  the  minutiae.  They 
achieved  2%  EER  where  the  threshold  tp=0.53  and  4%  EER  where  tp=0.52. 

Chen  and  Chandran  (2007) 

Chen  and  Chandran  proposed  a  template  protection  that  they  claimed  was  more  resistant  to  attacks  than  prior 
methods.  As  a  benchmark  they  wanted  to  make  the  resultant  keys  compatible  with  the  128-bit  Advanced  Encryption 
Standard  (AES).  They  also  desired  to  make  the  template  cancelable.  The  proposed  method  used  Reed-Solomon  error 
correction  codes. 


Method 


The  methodology  for  calculating  the  weight  vector  was  adopted  from  X.  Jiang  and  W.  Yau,  “Fingerprint  Minutiae 
Matching  Based  on  the  Local  and  Global  Structures,”  in  Proceedings  of  the  15th  International  Conference  on  Pattern 
Recognition  II  (2000):  6038-6041. 
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Figure  25:  Schematic  diagram  of  transform-  and  error-correction-based  method  (2007:  3). 

As  shown  in  Figure  25,  upon  enrollment,  the  biometric  image  undergoes  a  bispectral  transform  that  is  designed  to 
eliminate  bit  errors.  Specifically  a  Radon  transform  converts  the  image  into  an  array  of  one-dimensional  projections. 
Then  an  iterative,  bispectral  transform  alters  the  projections  in  a  noninvertible  fashion. The  resultant  magnitude 
and  angle  matrices  are  converted  to  binary  form.  The  “desirable”  bits,  having  high  interclass  entropy  and  low 
intraclass  entropy,  are  selected  from  the  binary  matrices.  Templates  can  be  cancelled  by  changing  the  number  of 
iterations  or  the  criteria  for  bit  selection.  Finally  a  lookup  table  is  constructed  with  the  two  columns  of  N-bit 
sequences — one  for  the  original  key,  the  other  for  the  bio-key — which  are  encoded  with  a  Reed-Solomon  coding 
scheme. 

Performance 

The  researchers  tested  their  method  against  three  dimensional  face  images,  which  were  normalized.  Without  error 
correction  codes,  they  achieved  66%  FRR  at  0.26%  FAR  where  key  length  N  =  64  and  95%  FRR  at  0.0006%  FAR 
where  N  =  512.  After  implementing  Reed-Solomon  error  correction  codes,  they  achieved  25%  FRR  at  1.22%  FAR 
where  key  length  k  =  1 12  and  63%  FRR  at  0.09%  FAR  where  k  =  208.  Neither  approach  produced  results  that 
would  suffice  for  most  real-world  applications.  They  predicted  that  to  implement  Hadamard  error  correction  code 
before  the  Reed-Solomon  code  would  improve  the  matching  performance,  and  this  was  confirmed  in  the  tests  by 
Hao  et  al.  (2006). 

Boult  et  aL  (2007) 

Boult  et  al.  generated  cancelable  tokens  called  Biotopes  by  applying  a  noninvertible  transform  to  minutiae  points. 
Having  explained  the  basic  protocol,  they  further  described  how  to  implement  it  in  such  a  way  that  supported 
multifactor  key  generation.  The  term  “Biotope”  was  eventually  trademarked  and  used  in  biotoken  products  sold  by 
Securics,  Inc. 


Method 


See  V.  Chandran  and  S.  L.  Elgar,  1993,  “Pattern  Recognition  Using  Invariants  Defined  from  Higher  Order  Spectra: 
One  Dimensional  Inputs,”  in  IEEE  Transactions  on  Signal  Processing  (41):  205. 
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Figure  26:  Schematic  diagram  of  process  for 
generating  and  matching  biotokens  (2007:  4). 


Figure  27:  Schematic  diagram  of  process  for  mapping  data  for  use  as 
biotokens  (2007:  5). 


Figure  26  and  Figure  27  give  a  high  level  overview  of  the  process  for  generating  and  matching  tokens.  Fingerprint 
features  are  first  extracted  from  an  input  image.  The  researchers  used  a  Bozorth  matcher,  which  takes  as  input  a 
feature  vector  v=(x,y,0,q)  where  x,y,0  respectively  indicate  the  coordinates  and  angle  of  the  minutiae  points  and  q  is 
a  measure  of  quality. 

Performance 


The  researchers  tested  both  the  proposed  method  and  the  NIST  VBT  method  against  4,950  imposter  fingerprints  and 
2,800  genuine  fingerprints.  The  proposed  method  achieved  8.6%-1.2%  EER  and  outperformed  the  NST  VBT 
method  by  -33%.  Thus  they  claimed  that  the  proposed  biotoken  method  improved  verification  performance. 

Scheirer  and  Boult  (2008) 

Scheirer  and  Boult  proposed  a  form  of  cancelable  biometric  token  or  “biotoken”  to  be  used  in  symmetric  key  release 
systems  where  both  parties  mutually  validate  the  transaction.  They  designed  the  token  to  support  one-time 
transactions  and  trust  hierarchies.  Furthermore  they  claimed  their  method  allowed  for  better  auditing,  non¬ 
repudiation,  and  protection  against  replay,  phishing  and  man-in-the-middle  attacks.  The  public  key  is  the  only 
information  ever  reused  in  subsequent  transactions.  Using  the  proposed  biotoken  the  researchers  designed  multiple 
protocols  for  secure  transactions  and  digital  signatures. 

Method 


Revocable  Biotokens 


For  each  transaction,  the  user  presents  a  biometric  image  that  is  scaled,  translated,  and  ultimately  split  into  stable 
and  unstable  components,  which  are  respectively  called  the  quotient  q  and  the  remainder  r.  The  quotient  q  is 
encrypted  or  hashed  while  the  remainder  r  is  left  in  the  clear.  Because  the  quotient  q  is  stable,  it  can  be  used  for 
exact  matching.  The  measure  of  dissimilarity  between  two  biometric  signals  d(p,q)  is  computed  such  that 


For  details  on  the  Bozorth  matcher,  see  C.l.  Watson  et  al.,  2004,  “User’s  Guide  to  NIST  Fingerprint  Image  Software 
2.” 
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d(P.<?)  = 


c  if  w(p)!  =  abs(r(p)  -  r(c/))  >  b 

(^1^-  if  w(p)!  =  abs(r(p)  -  »•(<?))  <  b 

where  c  is  a  constant  penalty  to  outliers. 

Nested  Biotokens 

The  researchers  described  a  method  for  re-encoding  biotokens,  which  builds  hierarchies  of  trust  and  allows  data  to 
be  released  without  revealing  other  secrets.  In  the  same  way  that  certificate  authorities  issue  digital  certificates  in  a 
hierarchy  of  trust,  biotokens  can  be  encoded  multiple  times  to  produce  keys  unique  to  specific  applications.  For  each 
encoding,  the  transformed  biotoken  wj  is  re-encoded  with  a  unique  transform  function  T.  The  process  can  be 
expressed  as 


1st  encoding:  Wj  i(v',P) 

2nd  encoding:  Wy  2(wy  T2) 

3rd  encoding:  Wy  3(wy  2,f3) 

nth  encoding:  r„) 

where  P  is  a  public  key  used  to  encode  the  biotoken  in  the  first  iteration. 

Bipartite  Biotokens 

Bipartite  biotokens  assume  properties  of  fuzzy  cryptosystems.  An  embedded  polynomial  obfuscates  secret  data  with 
chaff  data.  The  biotoken  is  transformed  in  such  a  way  that  allows  data  to  be  secured  in  it  and  released  upon 
successful  verification.  This  method  is  covered  in  depth  by  Scheirer  and  Boult  (2009). 

Digital  Signatures 

The  sensor  sends  a  public  key  to  a  remote  signature  server,  which  returns  a  transaction  ID.  The  sensor  then  sends  the 
bipartite  biotoken  signature  to  the  server,  which  will  generate  its  own  local  biotoken  and  match  the  two  biotokens.  It 
sends  the  biotoken  signature  to  the  sensor,  which  validates  the  received  signature  and  appends  an  audit  log  with 
server  information.  This  process  attempts  to  mitigate  the  man-in-the-middle  attacks. 

Maiorana  et  al.  (2008) 

Maiorana  et  al.  encrypted  handwritten  signature  templates,  proposing  the  use  of  hidden  Markov  models  to  compare 
the  templates  in  the  encrypted  domain. 

Method 

As  the  user  writes  a  signature  on  the  acquisition  device,  the  features  are  extracted  in  the  form  of  time  sequences, 
whose  parameters  include:  horizontal  and  vertical  position  trajectory  (Xn,yn),  pressure  signal  Pn,  path-tangent  angle 
Cn,  path  velocity  magnitude  Vn,  log  curvature  radius  hn,  and  total  acceleration  magnitude  an  where  n  is  a  discrete  time 
index.  Altogether  the  time  sequence  vectors  are  expressed  as 

Un  =  [Xn.yn'Pn.^n>Vn.Pn'anV>n  =  1,2 . N 

Each  time  sequence  vector  Un is  stored  in  a  template  matrix  U=[ui. .  .Un].  A  noninvertible  transform  function  fi  [n]  is 
applied  to  elements  in  the  matrix  through  the  linear  convolution  of  the  functions  r(i)j,Ni  [n]  such  that 
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fi[n]  =  *  ...  * 


producing  a  secure  template  T[n]  of  the  transformed  elements  in  u[n],  such  that 


T=[f(ui),  ...,f(uj] 


During  authentication,  the  user  writes  a  signature  from  which  time  sequence  vectors  are  extracted.  The 
representation  of  the  query  signature  is  compared  against  one  or  more  secure  signatures  stored  in  the  dataset  using 
the  Viterbi  algorithm  to  calculate  similarity  score,  such  that 


where  e  is  the  HMM  model,  defined  by  the  number  of  hidden  states  H  and  the  number  of  Gaussian  densities  M  that 
describe  the  probability  p(t)  of  the  emission  of  symbol  t  from  the  state  h,h=l,. .  .,H. 

Performance 

The  researchers  tested  the  proposed  method  against  16,500  handwritten  signatures.  Results  showed  that  this 
approach  is  not  reliable.  The  method  achieved  its  lowest  equal  error  rate  at  10.29%  where  the  number  of  hidden 
states  H=8,  the  number  of  Gaussian  densities  M=2,  and  W=2.  The  method  may  perform  too  poorly  for  most 
practical  purposes  until  improvements  are  made;  although  it  should  be  noted  that  the  increase  in  EER  was  only 
slight  compared  to  those  of  unprotected  approaches. 

Shi  et  al.  (2008) 

Shi  et  al.  designed  a  framework  that  integrated  feature  extraction  and  noninvertible  transforms  in  such  a  way  that 
mitigated  the  tradeoff  between  security  and  performance.  In  their  study  they  propose  a  feature  extraction  method 
called  “MinuCode,”  which  they  claimed  was  more  reliable  than  past  methods.  MinuCode  avoids  reference  core 
point  determination  and  deals  with  the  noise  of  fingerprint  biometrics. 

Method 

Shi  et  al.  first  extracted  the  minutiae  coordinates  and  plotted  them  onto  a  polar  coordinate  system,  forming  a 
MinuCode  template  through  a  process  shown  in  Figure  28.  They  used  tessellation  quantification  to  alter  the 
coordinates  in  such  a  way  that  centered  on  a  region  of  interest.  Then  they  applied  a  noninvertible  transform  to  the 
MinuCode  T=(b,a,o).  They  described  three  possible  transforms.  The  first  transform  involves  three  steps,  where 

k=(bxpxpxp)+(axpxo) 

where  P  is  a  constant  larger  than  a,  b,  or  o.  Then  it  encrypts  a  random  string  RS  with  a  block  cipher  Ek  ()  using  k  as 
the  key.  Finally  publishes  a  new  tuple  T^=(RS,Ek  (RS)).  The  second  transform  involves  two  steps.  First  it  generates 
three  random  positive  integers  ri,  r2,  rs  and  then  it  publishes  a  new  tuple  T^=(Zi,Z2,Z3)  with  an  application-specific 
parameter  e:  Z^=b+ri  (a  *  P  +  o  +  e),  Z2=a+ri  (a  *  P  +  b  +  e),  Z^=o+ri  (a  *  P  +  a  +  e)  where  P  is  a  constant  larger 
than  a,  b,  or  o.  The  third  transform  discards  ri,  r2,  r3,  and  b,  a,  o.  Before  performing  a  match,  the  input  images  are 
automatically  aligned  using  the  minutiae-centered  quotient  calculation  and  tessellation  quantification.  Threshold 
mechanisms  tm  and  tp  are  used  to  correct  errors  in  minutiae  locations:  two  regions  are  equal  if  there  are  at  least  tm 
equal  neighbor  minutiae,  and  finally  two  fingerprints  are  matched  if  there  are  at  least  tp  equal  regions. 


The  researchers  cite  L.R.  Rabiner,  1989,  “A  Tutorial  on  Hidden  Markov  Models  and  Selected  Applications  in 
Speech  Recognition,”  in  Proceedings  of  the  /EEE7(2):257-286. 
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Figure  28:  Illustration  of  MinuCode  (2008:  2). 


Performance 

The  researchers  tested  the  proposed  method  against  800  fingerprint  images.  After  9,900  imposter  comparisons  and 
100  genuine  comparisons,  their  results  yielded  1.35%  HER.  They  were  able  to  produce  a  360-bit  key,  which  is 
among  the  more  secure  keys  of  those  reviewed  in  this  report. 

Hirata  and  Takahashi  (2009) 

Hirata  and  Takahashi,  researchers  at  the  Hitachi,  Ltd.  Systems  Development  Laboratory,  produced  cancelable 
templates  with  the  goal  of  minimizing  the  tradeoff  between  security  and  performance.  The  researchers  cited  a  prior 
study  which  found  that  a  minimum  average  correlation  energy  filter  could  produce  cancelable  templates. They 
used  number  theoretic  transforms,  which  are  similar  to  Fourier  transforms  and  allow  the  system  to  match  templates 
in  the  encrypted  domain. 

Method 

Assume  the  following  preliminaries:  f(x,y)  is  the  registered  image;  g(x,y)  is  the  input  image;  F(u,v)  is  the  number 
theoretic  transform  of  the  padded  registered  image;  G(u,v)  is  the  number  theoretic  transform  of  the  input  image; 
R(u,v)  is  a  random  filter;  R^'^^  (u,v)  is  the  inverse  of  the  random  filter.  The  number  theoretic  transform  0  has  a  cyclic 
convolution  property  of  0(a*b)=0(a)0(b)  where  a={al  },  b={bl  }  and  *  is  convolution.  This  property  facilitates 
correlation-based  matching  in  the  encrypted  domain.  The  correlation  between  f(x,y)  and  g(x,y)  is  Wf,g(p,q)  expressed 
as 


^  -  p,y  - 

(x.y)ES(p,q) 

where  S(p,q)  is  the  region  that  the  registered  image  overlaps  the  input  image  at  the  displacement  (p,q).  The  system 
computes  peak-to-mean  from  the  correlation  to  authenticate  the  user.  Peak  and  mean  represent  the  maximum  and 
mean  values  of  Wf,g(p,q)  respectively,  and  the  peak-to-mean  ratio  is  simply  peak  -  mean. 


See  Savvides  et  al.,  2004,  “Cancelable  Biometric  Filters  for  Face  Recognition,”  in  17^^  International  Conference  on 
Pattern  Recognition  (ICPR  2004),  3:  922-925. 

For  details  on  the  number  theoretic  transform,  see  R.C.  Agarwal  and  C.S.  Burrus,  1975,  “Number  Theoretic 
Transforms  to  Implement  Fast  Digital  Convolution,”  in  Proceedings  of  the  IEEE  63(4):  550-560. 
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During  enrollment,  the  user  presents  a  fingerprint  image.  The  client  machine  pads  the  acquired  image  and  applies  a 
number  theoretic  transform  0  to  the  padded  image.  It  multiplies  the  transformed  image  with  a  random  filter,  and  the 
final  product  is  sent  to  the  dataset.  The  secure  template  can  be  expressed  as  T(u,v)=R(u,v)F(u,v)  where  R(u,v)  is  a 
uniformly  random  filter  and  F(u,v)  is  the  number  theoretic  transform  of  the  padded  input  image.  During 
authentication,  the  user  presents  a  query  fingerprint  image.  The  steps  are  repeated  and  the  server  matches  the  input 
images  against  one  or  more  registered  templates  in  the  encrypted  domain. 

Performance 

The  researchers  tested  the  proposed  method  against  infrared  finger- vein  images.  Having  conducted  102  genuine 
comparisons  and  10,302  imposter  comparisons,  they  achieved  a  complete  separation  between  the  normalized 
frequency  distribution  of  the  genuine  and  imposter  classes,  which  implies  100%  accuracy.  They  found  small  traces 
(0.016%)  of  information  from  the  original  images,  though  they  claimed  this  was  too  small  to  allow  one  to  reverse 
engineer  an  encrypted  image. 

Takahashi  and  Hirata  (2009) 

Takahashi  and  Hirata  attempted  to  resolve  the  tradeoff  between  template  security  and  verification  accuracy.  The 
proposed  method  adopts  the  correlation  invariant  random  filtering  approach  proposed  by  Hirata  and  Takahashi 
(2009)  into  a  chip  matching  algorithm  proposed  by  Mimura  et  al.^^  This  study  culminated  in  U.S.  Patent  Application 
Publication  2008/0037833  Al. 

Method 

The  researchers  use  a  chip  matching  algorithm  that  builds  upon  their  correlation  invariant  random  filter  (CIRF), 
which  incorporates  number  theoretic  transforms  to  achieve  perfect  secrecy. The  algorithm  operates  as  follows: 

(1)  an  input  fingerprint  image  is  processed  to  a  binary  image; 

(2)  the  core  is  detected  using  the  focal  point  method; 

(3)  minutiae  coordinates  are  recorded  in  a  set;  and 

(4)  similarity  between  the  chip  image  and  the  local  area  is  measured  by  the  Hamming  distance. 

Alignment  of  the  input  data  is  not  required.  As  shownin  Figure  29,  during  enrollment,  the  client  machine 
preprocesses  the  fingerprint  image  from  which  the  chip  images  will  be  clipped  and  filtered  into  a  cancelable 
template  to  be  stored  on  the  server  dataset.  During  authentication,  the  client  machine  presents  an  input  image  from 
which  chips  are  clipped  and  filtered.  The  server  cross-correlates  each  input  chip  and  accept  the  user  if  the  similarity 
score  falls  within  a  given  threshold. 


Rinaiy  image  for  emollmerii  Ririaiy  image  for  aulhenlieaLiori 


See  Masahiro  Mimura,  Shuichi  Ishida,  and  Yoichi  Seto,  2001,  “Development  of  Personal  Authentication 
Techniques  Using  Fingerprint  Matching  Embedded  in  Smart  Cards,”  in  lEICE  Transactions  on  Information  and 
Systems,  E84-D(7):  812-818. 

See  p.  2  for  an  overview  of  CIRF. 
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Figure  29:  Illustration  of  the  ehip  matehing  algorithm  (2009:  3). 


Performance 

The  researchers  tested  the  proposed  method  with  different  parameter  values  against  181  fingerprint  images.  Results 
yielded  5.0%  FRR  at  0.2%  FAR.  These  results  were  inferior  to  the  previous  implementation  by  Hirata  and 
Takahashi  (2009),  which  was  tested  against  finger  veins  and  did  not  incorporate  a  chip  matching  algorithm. 

Scheirer  and  Boult  (2009) 

Scheirer  and  Boult  designed  a  protocol  that  combined  the  methodologies  of  revocable  biotokens  by  Scheirer  and 
Boult  (2008)  and  the  fuzzy  vault  scheme  by  Juels  and  Sudan  (2002).  Like  the  fuzzy  vault,  the  proposed  method 
utilized  Reed-Solomon  error  correction  codes.  But  it  did  not  store  the  points  at  which  the  secret  polynomial  was 
evaluated.  It  is  allegedly  rotation  and  translation  invariant.  The  researchers  defined  bipartite  biotokens  as  revocable 
fingerprint  tokens  that  have  been  split  into  stable  and  unstable  components,  of  which  the  former  is  encrypted  or 
hashed  and  the  latter  is  left  in  the  clear. 

Method 

For  each  transaction,  the  user  presents  a  fingerprint  image  and  the  client  machine  sends  a  request  for  transaction  to 
the  server.  The  method  uses  a  Bozorth-like  procedure  to  conduct  matching,  where  the  raw  distance  and  angles 
d,ai,a2  are  stored  in  pair  rows  and  their  stable  components  sd,sai,sa2  are  protected  in  a  lookup  table.  To  evaluate  the 
polynomial,  sd,sai,sa2  are  hashed  into  a  value  i  that  is  stored  in  the  gallery.  The  hash  digest  i  is  again  hashed  as  h  in 
subsequent  transactions,  which  is  used  only  to  evaluate  polynomials  to  produce  encoded  bipartite  rows.  When 
matching  a  query  against  one  or  more  stored  templates,  the  system  created  all  the  fields  for  each  of  its  rows, 
including  the  hash  value  h.  A  probe  row  potentially  matches  a  gallery  row  if  it  finds  a  matching  w  and  if  the  residual 
values  rd,rai,ra2  are  within  threshold.  The  algorithm  evaluated  the  polynomial  w  generating  potentially  correct 
rs,rsi,rs2  values. 

Performance 

The  researchers  tested  the  proposed  method  against  750  million  imposter  attempts  on  fingerprint  images.  They 
achieved  3%  FRR  at  0%  FAR  with  256-bit  security  and  2  bytes  of  error  correction.  A  biotoken  with  16  rows  and  an 
error  correction  level  of  6  can  withstand  up  to  2^^^  brute  force  attempts,  which  represents  an  impressive  girth  of 
security. 

The  design  of  bipartite  biotokens  prevents  cross  matching,  surreptitious  key  inversion  (SKI),  and  blended 
substitution  attacks.  An  attacker  cannot  cross-correlate  biotokens  even  with  access  to  the  Reed-Solomon  polynomial 
encodings,  because  the  evaluation  points  are  not  stored  within  the  encoding.  The  researchers  note  that  the  protocol 
was  susceptible  to  an  attacker  whereby  the  attacker  substitutes  the  columns  of  the  biotoken  with  their  own  data,  but 
they  argued  that  this  was  a  detectible  action  as  it  represents  a  denial  of  service  to  the  genuine  user. 

4.8  Parametric  Key  Generation 

Parametric  key  generation  methods  classify  biometric  features  according  to  predefined  parameters  and  generate  a 
key  derived  from  the  parameter  outputs  rather  than  from  the  template  itself  This  approach  mitigates  the  problem  of 
intraclass  variations  because  the  shape  and  position  of  the  features  do  not  influence  the  construction  of  the  encrypted 
template.  For  example,  rather  than  store  the  locations  of  minutiae  points,  a  fingerprint  is  classified  simply  as  having 
an  arch,  loop,  or  whorl.  Many  parameters  must  be  defined  to  ensure  uniqueness  among  templates.  The  performance 
of  any  parametric  key  generation  algorithm  depends  on  the  reliability  of  its  parameters.  A  parameter  is  considered  to 
be  reliable  if  it  consistently  returns  the  same  value  upon  many  presentations  of  the  same  biometric.  Therefore  the 
best  performing  algorithms  are  likely  to  contain  many  parameters  with  simple  definitions,  allowing  for  many 
possible  combinations  and  accurately  reproduced  queries. 


See  p.  3  for  a  more  extensive  discussion  on  the  definition  of  bipartite  biotokens. 
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4.8.1 


Vulnerabilities 


Low  Entropy 

The  strength  of  a  parametrically  generated  key  is  a  function  of  the  number  of  parameters  defined  and  the  number  of 
possible  outputs  per  parameter.  The  number  of  parameters  that  can  be  defined  is  limited  by  our  knowledge  of  ways 
to  reliably  classify  biometric  features.  To  illustrate,  Hao  and  Chan.  (2002)  were  unable  to  produce  keys  greater  than 
an  average  length  of  40  bits  despite  having  defined  43  parameters.  In  their  concluding  remarks  the  researchers 
recommended  appending  additional  data  to  the  key  as  a  means  of  augmenting  its  entropy.  Such  data  could  include  a 
password  or  timestamp.  The  bare,  single-factor  methodology  for  parametric  key  generation  is  likely  to  produce  low 
entropy  keys  vulnerable  to  brute  force  attacks. 

4.8.2  Performance 

Parametric  key  generation  has  not  performed  well  in  empirical  tests,  although  the  methods  reviewed  in  this  report 
were  only  applied  to  handwritten  signatures  which  tend  to  yield  higher  error  rates  than  other  modalities  like 
fingerprint  and  iris.  None  of  the  proposed  methods  met  the  target  of  1%  FRR  at  0.1%  FRR,  but  Chen  and  Chandran 
(2007)  came  reasonably  close  at  1%  EER.  Parametric  key  generation  is  not  a  reliable  template  protection  method  for 
most  practical  applications.  The  method  may  be  best  suited  for  small  scale  applications  where  there  is  limited 
computing  power. 

4.8.3  Articles 
Hao  and  Chan.  (2002) 

Shortly  prior  to  the  time  of  this  publication,  electronic  signatures  were  accepted  as  a  legally  binding  under  E-Sign 
(2000).^^  Thus  began  the  boom  of  e-commerce  and,  more  importantly,  the  now  common  practice  of  digitally 
authenticating  oneself  on  computer  networks.  Hao  and  Feng  attempted  to  apply  biometrics  to  public  key 
infrastructure  (PKI),  the  convention  by  which  digital  information  was  secured.  The  difficulty  they  observed  in  such 
an  implementation  was  the  fuzzy  nature  of  biometrics  data.  Because  biometric  images  vary  slightly  upon  each 
acquisition,  no  person  could  reproduce  their  own  private  key  using  cryptographic  algorithms  that  demand  precise 
inputs.  They  proposed  a  cryptosystem  called  BioPKI  that  attempted  to  circumvent  this  problem  and  produce  secure 
and  reliable  private  keys  from  biometric  data. 

Method 

BioPKI  consisted  of  three  stages:  shape  matching,  feature  encoding,  and  private  key  generation.  Shaping  matching 
is  a  means  of  ruling  out  poor  quality  features  by  comparing  the  acquired  image  against  “good”  sample  images.  In 
their  study,  Hao  and  Feng  applied  dynamic  time  warping  to  align  the  shapes  of  handwritten  signatures  prior  to  shape 
matching.  The  biometric  features  are  then  extracted  from  the  acquired  image  and  encoded  into  a  template.  Lastly, 
private  keys  are  generated  from  the  encoded  template  using  the  digital  signature  algorithm  (DSA).  During 
enrollment,  the  algorithm  produces  an  encrypted  template  and  discards  the  original  image  so  that  none  of  the 
original  data  is  stored.  During  authentication,  a  user  presents  a  biometric  image  which  is  again  encrypted  and 
compared  against  one  or  more  encrypted  templates  in  the  dataset.  The  templates  can  be  matched  only  if  the  same 
transforms  were  applied  to  them,  and  the  original  data  never  needs  to  be  revealed  in  order  to  verify  an  identity. 

Performance 

Hao  and  Feng  tested  their  method  against  750  handwritten  signatures.  They  achieved  28%  FRR  at  1.2%  FAR, 
meeting  at  8%  EER.  Such  results,  while  undesirable  for  practical  applications,  represented  a  promising  start  to  the 
development  of  biometric  cryptosystems.  They  reminded  the  readers  of  the  naturally  higher  error  rate  of  signatures 
compared  to  other  modalities,  such  as  iris.  Therefore  it  would  be  worthwhile  to  test  the  approach  on  more  common 
and  reliable  modalities.  They  were  able  to  produce  40-bit  keys,  which  is  a  weaker  level  of  entropy  compared  to 
those  in  later  template  protection  methods.  They  recommended  padding  the  encoded  template  using  information 


The  Electronic  Signatures  in  Global  and  National  Commerce  Act,  enacted  by  the  U.S.  Congress  in  June  2000. 
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from  the  template  or  user  supplied  information  (e.g.  a  password)  prior  to  hashing  it  with  the  encryption  algorithm. 
Doing  so  would  fortify  the  key  against  brute  force  attacks  and  further  guarantee  uniqueness  among  keys. 

Implications 

The  researchers  mentioned  the  importance  of  all-bit-correctness  when  producing  hash  digests  of  biometric 
templates.  Their  solution  to  this  was  to  define  a  set  of  parameters  with  a  limited  number  of  discrete  values 
determined  by  the  features  of  the  acquired  image.  For  example,  pen  pressure  might  be  categorized  in  one  of  three 
classes  (light,  medium,  strong)  and  that  value  would  concatenate  with  those  of  other  parameters.  Thus  fuzziness 
would  be  eliminated  altogether.  To  be  effective,  a  large  amount  of  parameters  would  be  necessary  to  adequately 
control  intraclass  variance.  Though  this  method  is  not  replicated  in  later  studies,  its  computational  simplicity  may 
tempt  one  to  refine  it  until  it  attains  acceptably  low  rates  of  error. 

Vielhauer  et  al.  (2002) 

Vielhauer  et  al.  designed  a  method  for  generating  hash  values  from  handwritten  signatures.  Their  method  produces  a 
vector  of  24  feature  parameters.  No  reference  samples  were  stored  in  the  hashed  template,  an  advantage  that 
contrasted  with  variations  of  fuzzy  cryptosystems  which  stored  helper  data. 

Method 

During  enrollment,  the  user  produces  a  signature  on  an  acquisition  device  like  a  pen-based  PDA.  The  coordinate 

signals  Xt,yt  and  the  pen-up  and  pen-down  signals  V  are  collected  from  the  supplied  signature  image.  These 
three  basic  data  form  the  basis  of  24  feature  parameters  including,  for  example,  the  number  of  continuous  pen-down 
sequences  or  the  duration  of  the  complete  writing  process  in  milliseconds.  The  values  of  these  parameters  are  stored 
in  an  interval  matrix  IM  such  that 


IM  = 


LA/24 


•^24 


where  Af  is  the  interval  length  of  an  interval  [Ilow  •  •  -iRigh  ]  and  Ui  is  the  interval  offset.  Af  is  computed  from  initial 
intervals,  such  that 


[AnitLow- ^InitHigh]  ~  ...  MAX(?T,  y)] 

[kow  •••  Wh]  =  [^InltLow  *  (1  ~  ^f)  -^InitHinh  *  (t  +  h)] 

Where  f  is  a  tolerance  factor  derived  from  empirical  tests  of  authentic  writing  samples  against  the  above  intervals 
and  averaging  the  standard  deviations.  .  Af  and  Ui  can  be  expressed  as 

Ali  luigh  ~^0.5-(Ilow  “0*5)  Inigh  “1-Low  ~^1 

L  “  ^Ldw  +  1 

and 


Ui  Uow  mod(AIi) 


The  hash  values  are  calculated  by  mapping  each  feature  parameter  against  IM  .  The  hash  function  for  each  feature 
parameter  ft  is  written  to  a  hash  vector  as  such  that 


hiifi.Mi.nd 


(fi-nd 

Al, 
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Performance 


The  researchers  achieved  an  average  of  7.05%  FRR  at  0%  FAR.  These  are  impressive  results  compared  to  other 
methods  reviewed  that  focus  on  the  signature  modality.  The  parametric  approach  to  this  method  is  similar  to  that  of 
Hao  et  al.  (2002);  like  theirs,  this  method  is  less  complex  than  many  of  the  other  methods  reviewed  in  this  report  and 
may  be  less  expensive  for  systems  to  compute.  The  combined  results  of  Hao  et  al.  and  Vielhauer  et  al.  suggest  that 
generating  keys  under  the  constraint  of  parameters  could  yield  high  security  and  robustness  while  maintaining 
computational  simplicity. 

Costanzo  (2004) 

Costanzo  proposed  a  method  by  which  biometric  data  was  used  to  generate  cryptographic  keys  suitable  for  use  with 
symmetric  cipher  algorithms.  He  cited  shortcomings  in  previous  attempts, claiming  that  their  methods  required 
prealigned  inputs  and  expensive,  complex  computations.  He  intended  for  his  method  to  surmount  these 
shortcomings  while  producing  keys  that  were  highly  entropic,  unique,  and  stable. 

Method 

Costanzo ’s  method  adhered  to  the  concept  of  adaptive  boosting,  wherein  the  aggregation  of  small  classifiers  is 
assumed  to  produce  a  more  accurate  classification  than  any  single  classifier.  Classifiers  and  parameters  are 
measured  upon  acquiring  the  biometric  image.  For  example,  a  fingerprint  image  could  be  classified  as  having  an 
arch  with  a  parameterized  ridge  count  between  minutiae.  This  data  would  be  used  to  generate  a  cryptographic  key. 
The  author  did  not  go  into  detail  on  how  to  execute  this  process.  Instead  he  proposed  an  idea  wherein  the  greater  the 
number  of  classifiers  and  parameters  defined,  the  greater  the  number  of  total  number  of  possible  combinations  (and 
thus  entropy)  of  the  key.  If  an  algorithm  is  told  to  classify  an  input  according  to  three  distinguishing  characteristics 
with  two  possible  values  each,  the  combination  size  would  be  six.  This  would  yield  5,423,61 1,200  possible 
combinations  on  a  128-bit  key,  as  calculated  by 

/nx  ^  n!  ^  ^ 

“  k\(n-k)\  ~  k\ 

where  n  represents  combination  size  and  k  represents  key  length. 

Implications 

The  goal  of  this  paper  was  to  propose  a  simpler  method  for  generating  high  entropy  keys  from  biometric  data.  Its 
main  contribution  was  the  concept  of  encrypting  a  combination  of  parameter  values  derived  from  the  input  image, 
rather  than  encrypting  the  input  image  itself  Theoretically  it  would  be  much  easier  to  replicate  the  exact  same 
pattern  of  parameter  values  upon  authentication  than  the  exact  same  biometric  image.  Entropy  would  be  guaranteed 
by  defining  more  parameters,  which  yields  more  parameter  combinations;  while  verification  performance  would  be 
guaranteed  by  defining  parameters  easy  to  replicate  despite  fuzziness  (e.g.  whether  a  fingerprint  is  an  arch  or  a 
whirl,  rather  than  the  exact  coordinates  of  the  minutiae). 

Chen  et  al.  (2009) 

Chen  et  al.  produced  cryptographic  keys  from  pseudo-signatures.^^  Such  patterns  are  inherently  cancelable,  but  they 
are  easily  susceptible  to  shoulder  surfing  in  which  someone  observes  the  user  during  authentication  and  commits  the 
pattern  to  memory.  With  this  in  mind,  the  researchers  chose  to  extract  behavioral  data  such  as  velocity  and  pressure 
in  addition  to  the  actual  pattern  during  enrollment  and  authentication. 


76 

Monrose  et  al.  (2001b),  Clancy  et  al.  (2003),  Linnartz  and  Tuyls  (2003). 

Pseudo-signatures  are  hand-drawn  patterns  used  in  the  “Draw-a-Secref  graphical  password  scheme.  They  have 
been  used  to  authenticate  users  in  touchscreen  smartphones. 
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Method 


The  proposed  method  reportedly  follows  that  of  Vielhauer  et  al.  (2002)  which  processed  a  feature  vector  with  an 
error  correction  algorithm  to  produce  a  cryptographic  key.  During  enrollment,  the  user  draws  the  same  pseudo¬ 
signature  tr.  times  to  train  the  system.  The  training  process  assumes  the  following  preliminaries: 

fij  is  the  feature  value  of  the  j”th”  feature  in  the  i’'th”  training  sample; 

Ij-min(fij); 

rj'=max(fij); 

AIj=rj'-V+l; 
lj=lj'-AIjXaj;  and 

rj=rj'-AIjXaj  where  a  is  the  tolerance  value  for  the  corresponding  feature  in  a  tolerance  table. 

The  system  constructs  a  feature  vector  from  the  training  samples  into  an  nx2  matrix  [(li,ri  ),(l2)r2  )•  •  -(InTn)]-  A  hash 
value  of  the  feature  vector  is  computed  such  that 


Hi 


where  i  is  the  index  of  the  training  sample,  and  Uj=lj  mod  (AIj)  is  auxiliary  information  representing  the  offset  of  the 
hashed  feature.  The  feature  space  is  divided  into  intervals  along  each  dimension,  allowing  the  system  to  map  two 
inputs  of  negligible  variation  into  the  same  output.  The  final  output  is  a  cryptographic  key  that  is  stored  on  the 
dataset.  During  authentication,  the  user  draws  a  pseudo-signature  to  be  compared  against  one  or  more  secured 
templates  in  the  dataset.  The  query  is  converted  into  a  key  using  the  same  hash  function  employed  during 
enrollment.  If  the  difference  in  bits  between  the  query  and  stored  hash  falls  within  a  predefined  threshold,  the  system 
returns  a  match  and  the  user  is  authenticated. 


Performance 


The  researchers  tested  the  proposed  method  against  offline,  online,  and  trained  attack  models.  They  achieved  1% 
EER  in  the  offline  and  trained  attack  models,  and  4%  EER  in  the  online  attack  model.  The  researchers  adapted  their 
test  methodology  from  a  previous  study  which  found  that  users  drew  more  complex  patterns  when  doing  so  on  a 
background,  rather  than  a  blank  canvas.  With  this  in  mind,  they  generate  randomly  patterned  backgrounds  on  the 
canvas.  The  backgrounds  do  not  actually  affect  the  drawing;  they  merely  encourage  the  user  to  draw  more  complex 
patterns.  More  complex  patterns  results  in  higher  entropy  templates. 


4.9  Random  Projection 


Random  projection  is  a  means  of  reducing  the  dimensionality  of  a  set  of  points  while  nearly  preserving  the  distances 
between  the  points.  The  theory  behind  random  projections  stems  from  the  Johnson-Lindenstrauss  lemma,  which 


states  that  any  set  of  k  points  in  an  n-dimensional  Euclidian  space  can  be  embedded  into  an 
dimensional  space  such  that  the  pairwise  distance  of  any  two  points  is  maintained  to  a  reasonable  extent.  Some 
template  protection  methods  use  random  projection  as  a  means  to  randomly  map  minutiae  coordinates  while 
preserving  semantic  meaning  in  final  set. 


4.9.1  Vulnerabilities 


The  irreversibility  of  a  random  projection  matrix  can  be  compromised  if  an  attack  can  identify  linkages  among 
protected  templates.  This  linkage  can  happen  either  where  different  protected  templates  are  generated  for  different 
applications  or  where  they  are  updated  at  different  times.  The  attacker  can  exploit  the  leaked  information  either  to 
reverse  the  genuine  biometric  feature  vector  or  to  filter  out  unlikely  candidates  for  the  genuine  feature  vector. 


Johnson  and  Lindenstrauss,  “Extension  of  Lipschizt  Mapping  into  a  Hilbert  Space,”  189-206. 
Yang  et  al.  (2010):  2. 
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Yang  et  al.  (2010)  mitigated  this  vulnerability  by  producing  dynamic,  nonlinear  random  projection  matrices  that 
make  it  difficult  to  launch  inversion  attacks  in  the  event  of  a  stolen  token  scenario.  Wang  and  Plataniotis  (2010) 

describe  vulnerabilities  that  facilitate  correlation  attacks,  cross  matching  attacks,  and  known  projection  attacks  and 

80 

means. 

4.9.2  Performance 

Random  projection  methods  have  performed  well  in  empirical  tests.  Chikkerur  et  al.  (2008)  and  Yang  et  al.  (2010) 
both  exceeded  the  target  of  1%  FRR  and  0.1%  FAR. 

4.9.3  Articles 
Teoh  et  al.  (2007) 

Teoh  and  Yuang  extended  the  BioHash  method  first  proposed  by  Teoh  et  al.  (2007).  The  original  method  was 
observed  to  distinguish  genuine  templates  from  imposters  very  poorly  in  the  event  that  an  imposter  wielded  a  stolen 
token.  They  hypothesized  that,  in  a  stolen-token  scenario,  system  performance  would  improve  when  using 
multispace  random  projections. 

Method 

The  user  submits  a  face  image  during  enrollment.  Facial  features  are  extracted  from  the  image  and  transformed  into 
a  feature  vector  x.^^  The  vector  is  mapped  onto  a  random  projection  vector  such  that 


where  R  is  a  random  matrix  mxn  and  n  is  the  length  of  the  biometric  feature.  The  templates  can  be  cancelled  by 
issuing  a  new  tokenized  random  number  to  the  user. 

Performance 

The  researchers  tested  the  proposed  method  against  600  face  images  under  normal  conditions,  a  stolen-token  attack 
scenario,  and  a  stolen-biometric  attack  scenario.  They  also  tested  the  methodology  using  two  different  feature 
extractors:  EigenFace  and  Spectraface.  Each  test  compared  718,800  imposter  attempts  and  3,600  genuine  attempts. 
Under  the  stolen-token  scenario,  they  achieved  31.23%  EER  with  EigenFace  as  the  feature  extractor  and  18.10% 
EER  with  Spectraface  as  the  feature  extractor. 


Chikkerur  et  al.  (2008) 

Chikkerur  et  al.  attempted  to  produce  cancelable  fingerprint  templates  without  requiring  prealignment  of  the 
minutiae  points.  Their  goal  was  to  build  a  more  robust  system  that  could  withstand  image  registration  errors,  without 
compromising  security  in  the  template  design.  They  criticized  the  inability  of  biometric  cryptosystems^^  to 
withstand  intraclass  variation  adequately.  They  determined  that  geometric  registration  may  not  be  required  for  the 
construction  of  cancelable  templates,  which  they  observed  to  be  commonly  used  in  fingerprint  recognition.  Instead 
they  used  purely  local  measurements. 

Method 


Wang  and  Plataniotis,  2010,  “An  Analysis  of  Random  Projection  for  Changeable  and  Privacy-Preserving  Biometric 
Verification,”  1287. 

The  feature  extraction  process  is  not  investigated  in  this  article. 

See,  e.g..  Monrose  et  al.  2001 ;  Teoh  et  al.  2004. 
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For  each  transaction  the  user  presents  a  fingerprint  image  to  an  acquisition  device.  An  image  patch  is  extracted  from 
each  minutiae  point  rather  than  its  coordinates.  The  patches  were  aligned  with  the  angle  of  the  minutiae  to  ensure 
accurate  matching  performance.  To  calculate  the  similarity  among  the  patches,  a  normalized  dot  product  function 
computes  the  distance  d  between  a  query  template  x  and  a  stored  template  y  such  that 


dix.y) 


x^y 

|x||y| 


Ultimately  the  expansion  coefficients,  derived  from  a  Gabor  basis  expansion  of  the  patches,  form  a  unique  signature 
to  be  stored  in  the  dataset.  The  noninvertible,  cancelable  transform  T  is  executed  such  that 

T{x,Bk)  =  sgn{Blx) 


where  is  a  user  specific  projection  matrix. 

During  authentication,  the  user  presents  a  fingerprint  image.  A  signature  is  generated  from  the  features  in  the  same 
way  that  is  done  during  enrollment.  A  similarity  score  ^  between  the  query  signature  and  a  stored  signature 
6'i}  is  computed  such  that 


yno)) 


M  X/V 


where  T(i)  is  the  index  of  the  minutiae  in  set  {yi}  to  that  in  set  {xi}. 

Performance 


Having  tested  the  proposed  method  against  17,578  imposter  comparisons  and  188  genuine  comparisons,  the 
researchers  achieved  as  low  as  0%  FRR  at  0.1%  FAR  when  the  cancelable  transform  was  employed.  False 
acceptance  rate  was  much  higher  when  the  cancelable  transform  was  not  employed. 

Al-Assam  et  al.  (2009) 

Al- Assam  et  al.  designed  a  method  for  producing  cancelable  biometric  templates  using  noninvertible,  random 
projection  transforms,  an  approach  also  attempted  by  Teoh  et  al.  (2004).  They  claimed  that  the  method  could  match 
or  exceed  the  verification  performance  of  existing  methods  using  random  projections.  Their  explicit  goals  were  to 
create  templates  that  were  resistant  to  cross  matching,  highly  entropic  and  noninvertible,  cancelable,  and  negligibly 
detrimental  to  verification  performance. 

Method 

Random  projection  maps  data  from  orthonomal  matrices  to  other  spaces  and  preserves  the  distances  among  the  data 
points.  The  researchers  observed  previous  random  projection  methods  to  have  three  steps:  (1)  to  generate  m 
pseudorandom  vectors  from  a  user  key  or  token;  (2)  to  apply  the  Gram-Schmidt  algorithm^^  to  convert  the  vectors 
into  orthonomal  matrices,  which  have  the  same  dimensionality  as  the  original  template  feature  n;  and  (3)  to 
transform  the  original  template  feature  x  to  a  secure  domain  using  a  matrix  product  y=Ax.  They  claimed  that  small 
orthonomal  matrices  could  be  generated  without  using  the  Gram-Schmitd  algorithm. 

Their  modified  approach,  which  they  reported  to  be  computationally  more  efficient,  had  just  two  steps.  First  they 
selected  a  set  of  n  random  values  {  i,  2  -  •  •  n}  in  the  range  [0. .  .2  ]  according  to  a  user  key  or  token  to  create  an 
orthonomal  matrix  A.  Then  they  transform  the  original  biometric  template  from  a  secure  domain  y=Ax.  They  noted 


See  pp.  3-4  for  an  overview  of  the  Gram-Schmitd  algorithm. 
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that,  in  practice,  they  would  apply  a  secret  permutation  such  that  y=Ax+b  where  b  is  a  blinding  vector. 

Performance 

The  researchers  tested  the  proposed  method  against  two  datasets:  one  with  165  face  images,  the  other  with  80  face 
images.  They  used  wavelet  decomposition  to  achieve  face  recognition  and  nearest  neighbor  classification  to  achieve 
matching.  When  using  no  transformation,  they  achieved  21%  HER  and  17%  EER  from  the  respective  datasets. 

When  using  their  proposed  method,  they  achieved  2%  EER  and  0.2%  EER  respectively.  This  method  could 
potentially  match  the  verification  performance  of  preceding  methods  using  random  projection. 

Quda  et  aL  (2010) 

Ouda  et  al.  recognized  that  even  though  BioHash^"^  and  other  token-based  methods  for  cancelable  biometrics  yielded 
the  most  accurate  match  rates,  their  resistance  to  stolen-token  attacks  was  weak.  Therefore  they  proposed  a  method 
of  producing  cancelable  templates  in  such  a  way  that  did  not  require  tokens  but  could  still  compete  with  token-based 
methods  in  terms  of  matching  performance.  They  proposed  a  single-factor  authentication  scheme  called 
BioEncoding. 

Method 

For  each  transaction,  the  user  presents  an  iris  image  from  which  its  features  are  extracted  to  form  an  IrisCode.  To 
reduce  noise,  consistent  bits^^  are  selected  from  the  extracted  template.  To  this  end  they  first  aligned  the  query 
template  with  the  stored  template,  which  the  researchers  achieved  by  rotating  the  query  image  by  r-degree  intervals 
until  the  features  reach  an  angle  that  minimizes  the  Hamming  distance.  Then  they  masked  the  bits  that  were  likely  to 
be  the  same  value  at  similar  locations  in  both  templates,  omitting  those  with  high  variability.  The  consistent  bits 
were  stored  in  a  vector  C.  The  researchers  claimed  that  consistent  bit  extraction  was  an  important  step  in  optimizing 
verification  performance. 

The  final  template,  called  a  BioCode,  is  generated  from  the  consistent  bits  and  scrambled  into  a  compact  string. 

Prior  to  enrolling  users  the  server  stores  a  random  seed  that  generates  a  pseudorandom  sequence  of  length  2^  that  is 
used  to  randomly  map  the  consistent  bits.  Cancelling  a  BioCode  is  simply  a  matter  of  changing  the  value  of  this 
random  seed.  And  while  the  researchers  correctly  assume  that  one  random  seed  would  suffice  for  all  users  in  the 
system,  it  would  be  preferable  for  each  user  to  have  a  unique  random  seed  so  that  one  could  cancel  and  reenroll  her 
template  without  requiring  all  other  users  to  reenroll  their  templates.  For  each  transaction,  the  consistent  bits  of  the 
feature  vector  are  first  grouped  into  n  address  words  of  m  length.  Each  address  word  in  C  is  mapped  to  the  bit  value 
in  S  where  the  position  is  addressed  by  the  value  in  that  word.  An  example  is  given  where  an  address  word  111101, 
which  is  equal  to  the  decimal  61,  is  mapped  to  0  or  1  depending  on  whether  the  value  at  position  61  in  the 
pseudorandom  sequence  is  0  or  1.  To  authenticate  a  user,  the  entire  process  is  repeated  and  the  query  BioCode  is 
compared  against  one  or  more  stored  BioCodes. 


Performance 

The  researchers  tested  the  proposed  method  and  the  BioHash  method  against  756  iris  images  from  the  CASIA 
dataset.  They  found  that,  on  average,  one  in  five  bits  were  perfectly  consistent  among  all  IrisCodes.  After  566,244 
imposter  comparisons  and  756  genuine  comparisons,  they  found  that  BioCodes  produced  1. 3-2.1%  EER  while 
BioHash  produced  2. 2-5. 8%  EER.  But  the  proposed  method  has  some  scalability  issues.  The  more  trivial  issue  is  the 
need  to  submit  multiple  images  during  enrollment  in  order  to  train  the  system.  The  greater  issue  is  that  the  random 
seed  is  shared  among  all  users  enrolled  in  the  application.  To  cancel  one  user  requires  reenrolling  all  users,  which 
would  be  impractical  for  to  execute  in  large  scale  applications. 


See  Teoh  et  al.  (2004). 

“Reliable”  or  “consistent”  bits  have  a  high  probability  of  having  the  same  value  in  the  same  areas  among  multiple 
images  of  the  same  iris. 

See  pp.  6-7  for  diagrams  of  BioCode  generation. 
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Yang  et  al.  designed  a  new  approach  to 
random  projection  for  biometric 
template  protection  in  reaction  to  the 
security  concerns  of  the  stolen-token 
scenario  as  explained  by  Teoh  et  al. 
(2007).  The  concerning  issues,  the 
researchers  noted,  was  that  the  matrix 
was  both  public  and  linear.  The 
proposed  method  dynamically 
constructs  a  nonlinear  random 
projection  matrix  instead  of  a  fixed 
random  projection  matrix,  increasing 
the  computation  complexity  of  reverse 
engineering  a  secured  biometric 
template.  The  proposed  method 
performed  very  well  in  empirical  tests. 
This  research  was  funded  under  Project 
TURBINE  (ICT-2007-2 16339). 
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Figure  30:  Schematic  overview  of  the  anonymous  biometric 
access  control  system. 

are  set  to  be  public  with  each  slot  i  containing  L  p-dimensional  random  vectors.  From  each  slot,  one  of  the  L  random 
vectors  is  selected  for  projecting  the  biometric  feature  vector  b  to  obtain  one  dimension  of  the  projected  result  vector 
V.  The  selection  of  nj  will  be  decided  by  an  index  idi  is  which  is  the  jth  dimension  of  an  index  vector 
ID=(idi,id2. .  .idq)  such  that  with  all  the  public  slots  there  is  no  clue  to  the  attacker  which  random  vector  nj  from  the 
slot  i  was  selected  to  as  n  to  project  b  into  the  ith  dimension  of  v: 


Method 

Figure  30  illustrates  a  high  level 
overview  of  the  proposed  system.  To 
dynamically  construct  a  random 
projection  matrix,  q  random  vector  slots 


Vi=(ri,idi)  b 


An  index  vector  generator  function  can  be  designed  to  take  the  biometric  feature  vector  b  as  the  input  and  output  the 
q-dimentional  integer  index  vector  ID.  This  new  mechanism  makes  the  creation  of  the  projection  matrix  dependent 
on  the  to-be-projected  biometric  feature  vector.  The  researchers  presented  two  amplitude  quantization  functions:  one 
to  be  applied  to  the  biometric  feature  vector,  the  other  to  be  applied  to  a  fixed-matrix  based  random  projection  result 
vector. 


Performance 

The  researchers  tested  the  proposed  method  against  800  fingerprint  images  in  the  stolen  token  scenario.  They 
achieved  0.6%  FRR  at  0.1%  FRR  meeting  at  0.57%  EER  where  the  length  of  the  secure  binary  string  was  144  bits. 
These  are  among  the  most  promising  results  of  the  tests  reviewed  in  this  report.  These  results  were  achieved  when 
the  input  images  were  not  manually  prealigned. 


See  p.3  for  details  on  the  amplitude  quantization  functions. 
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5 


Iris  Recognition  Assessments  and  Performance  Evaluations 


5.1  Background 

Iris  recognition  technology  is  considered  a  candidate  for  use  in  biometric  PETs  due  to  the  richness  and  stability  of 
data  in  iris  images.  To  gauge  the  suitability  of  this  modality  for  use  in  PETs,  Indiana  University-Purdue  University 
Indianapolis  (lUPUI)  analyzed  previous  studies  of  iris  recognition  performance  and  conducted  a  new  study  of  iris 
recognition  performance.  References  for  this  section  are  marked  in  brackets  and  are  listed  in  Annex  G. 

5.2  Assessment  of  Iris  Recognition  through  Variable-Quality  Iris  Datasets 
5.2.1  Test  Iris  Image  Datasets 

Iris  image  quality  is  likely  to  be  a  determinant  of  the  viability  of  such  use.  To  this  end,  lUPUI  evaluated  the  ability 
of  a  commercial  iris  recognition  algorithm  to  process  seven  iris  image  datasets  of  varying  quality.  Representative 
images  from  each  dataset  are  shown  in  Figure  31. 


Dataset  Name 

Image  Format  &  Volume 

Quality  /  Capture  Notes 

Iris  Challenge  Evaluation 
(ICE) 

640x480 , 2953  images 

Controlled  environment,  eooperative  suhjeets,  illuminated  in 
the  near  infra-red  (NIR)  range 

Chinese  Aeademy  of 

Seienees  (CASIA)  2.0 

640x480 , 2400  images 

NIR 

CASIA  3.0  Set  1 

320x280 , 2639  images 

NIR;  eaptured  in  two  sessions,  at  least  one  month  interval 

CASIA  3.0  Set  2 

640x480 , 16213  images 

NIR;  eaptured  in  one  session 

CASIA  3.0  Set  3 

640x480 ,3183  images 

NIR;  eaptured  in  one  session 

West  Virginia  University 

640x480 , 1852  images 

NIR;  noisy,  heterogeneous  data,  with  obstruetions, 
ineonsistent  illumination,  and  out-of-foeused,  off-angle  irises 

UBIRIS 

800x600 ,  1877  images 

Color  images  aequired  in  visible  wavelengths;  Two  distinet 
sessions,  images  are  predominately  frontal  gaze. 

Multimodal  Biometrie 

Grand  Challenge  (MBGC) 

2048x2048 , 148  videos,  1 
seeond  duration 

NIR;  foeal  length  of  lOM  is  2~3  feet,  images  aequired  while 
suhjeets  walked  toward  the  eamera,  primarily  frontal  view, 
human  suhjeets  are  instrueted  to  look  at  iris  eameras 

lUPUI  multi-wavelength 

1280x1024, 352  videos 

NIR;  obtained  from  both  eyes  on  two  separate  oeeasions,  time 
period  between  eaeh  data  aequisition  is  at  least  one  week,  only 
used  green  wavelength  to  test 

lUPUI  Remote 

1280x1024,731  videos,  30 
fps 

NIR;  average  iris  radius  was  95  pixels,  data  was  aequired  in 
two  sessions,  at  least  one  week  between  sessions,  6  videos  per 
iris,  variety  of  positions  and  situations 

Iris  Challenge  Evaluation  (ICE)  images  are  640x480  resolution  and  illuminated  in  the  near  infra-red  (NIR)  range, 
acquired  using  the  LG  IrisAccess  2200.  The  dataset  contains  2953  images  (1426  left  eyes  and  1527  right  eyes). 
Acquisition  was  performed  in  a  controlled  environment  with  cooperative  subjects. 

CASIA  iris  datasets  were  created  by  the  Institute  of  Automation  from  the  Chinese  Academy  of  Sciences  (CASIA). 
CASIA  ver.  2.0  includes  2400  images  (640x480)  of  60  eyes.  CASIA  3.0  is  comprised  of  3  different  sets.  Set  I 
contains  249  subjects,  385  classes,  and  2639  images  (320x280).  Most  images  were  captured  in  two  sessions,  with  at 
least  one  month  interval.  Set  2  contains  411  subjects,  819  classes,  and  16213  images  (640x480).  Set  3  contains  200 
subjects,  400  classes,  and  3183  images  (640x480)  from  100  pairs  of  twins.  Both  second  and  third  sets  are  one 
session. 

The  WVU  Dataset,  consisting  of  1852  images  (640x480)  of  380  eyes,  was  developed  by  the  West  Virginia 
University.  WVU  images  were  captured  with  few  environmental  constraints,  resulting  in  noisy,  heterogeneous  data, 
with  obstructions,  inconsistent  illumination,  and  out-of-focused,  off-angle  irises. 
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The  UBIRIS  dataset  images  are  color  images  acquired  in  visible  wavelengths,  in  comparison  to  most  iris  datasets 
which  are  acquired  using  NIR.  The  dataset  consists  of  1877  images  (800x600)  composed  of  241  users  in  two  distinct 
sessions.  The  images  are  predominately  frontal  gaze. 

The  Multimodal  Biometric  Grand  Challenge  (MBGC)  NIR  video  dataset  was  acquired  using  Samoff  s  lOM 
system.  It  consists  of  148  one-second  videos  (2048x2048)  from  1 14  subjects.  The  focal  length  of  lOM  is  about  2~3 
feet.  Images  are  acquired  while  subjects  walk  toward  the  camera.  These  video  images  are  primarily  frontal  looking 
iris  images  and  the  human  subjects  are  instructed  to  look  at  the  iris  cameras. 

The  lUPUI  multi-wavelength  dataset  was  acquired  under  eight  different  wavelengths  illumination  including  Purple 
(420  nm),  Blue  (470  nm),  Green  (525  nm),  Yellow  (590  nm),  Orange  (610  nm),  Red  (630  nm),  Deep  Red  (660  nm), 
and  Infra-Red  (820nm)  at  a  distance  of  one  foot.  In  each  wavelength,  there  are  total  352  images  of  44  subjects 
whose  eye  colors  included  blue,  dark  brown,  light  brown,  green,  and  hazel.  For  each  human  subject,  we  obtained  the 
image  videos  (1280x1024)  from  both  eyes  on  two  separate  occasions.  The  time  period  between  each  data  acquisition 
is  at  least  one  week.  In  this  experiment  we  only  used  the  Green  wavelength  to  test. 

The  lUPUI  remote  non-cooperative  dataset  included,  for  each  eye  at  each  session,  6  iris  videos. 

•  The  first  video  was  frontal  and  the  eye  was  still. 

•  The  second  and  third  videos  were  captured  while  subjects  read  sentences  from  wall-mounted  posters  (placed  15 
feet  away  from  the  subject,  about  5  feet  behind  the  camera) 

•  The  fourth  and  fifth  videos  were  acquired  while  the  subjects  were  searching  the  wall  to  calculate  the  total 
number  of  certain  symbols 

•  The  sixth  video  was  acquired  while  subjects  did  simple  numerical  calculations  with  the  numbers  placed  on  the 
ceiling  of  the  room. 

Each  1280X1024  video  was  captured  at  30  frames  per  second.  The  average  iris  radius  of  the  video  images  in  the 
dataset  was  approximately  95  pixels.  Each  subject’s  data  was  acquired  in  two  sessions,  with  at  least  one  week 
between  sessions.  The  dataset  consists  of  31  subjects,  62  irises,  731  iris  video  sequences,  and  205,538  video  frames. 
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WVU  cbtabase  lUHJI  Remote  cbtabas 

Figure  31:  Representative  Iris  Images 


5.2.2  Performance  Evaluation  Metrics 

Metrics  used  to  evaluate  performance  were  false  rejection  rate  (FRR),  false  acceptance  rate  (FAR),  and  failure  to 
process  rate  (FTPR).  These  statistics  are  based  on  the  following  matching  outcomes  [62].  True  Negatives  (TN)  are 
different-iris  pairs  correctly  identified  as  being  from  different  eyes.  False  Positives  (FP)  are  different-iris  pairs 
incorrectly  identified  as  the  same  eye.  False  Negatives  (FN)  are  same-iris  pairs  incorrectly  identified  as  not  being  the 
same  iris.  True  Positives  (TP)  are  same-iris  pairs  identified  as  the  same  iris. 

FRR  is  calculated  as: 


rriu 

= - : - 1  ]00% 

^  .(2-1) 


FAR  is  calculated  as: 


,2.2, 


FTPR  is  calculated  as: 


eiPSi 


f  af  Images  thct  /s-llefl  ta 


(2-3) 


5.2.3  Results  and  Analysis 

Summary  quality  results  are  shown  in  Figure  32.  Images  that  failed  to  process  were  given  a  score  of  0. 
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Figure  32:  Quality  score  of  all  datasets 


Summary  processing  and  matching  results  are  shown  in  Figure  33. 


Dataset 

#  of  Images 

#  of  Eyes 

FTPR 

ERR* 

FAR* 

ICERIGHT 

1528 

120 

0% 

5.47% 

S.OSxlO-Vo 

ICELEFT 

1425 

124 

0.07% 

3.91% 

1.49x1  O' Vo 

CASIA  2.0 

1200 

60 

2.75% 

20.63% 

0 

CASIA  3.0 

3183 

400 

2.8% 

23.05% 

5.94xlO'Vo 

WVULEFT 

1562 

190 

1.22% 

15.16% 

0 

WVURIGHT 

1537 

234 

0.85% 

13.3% 

1.28xlO'Vo 

UBIRIS  (part  1) 

1214 

241 

0.58% 

12.5% 

5.45x1  O' Vo 

MBGC 

1072 

285 

4.57% 

38.28%** 

1.75xlO'Vo 

lUPUI  MULTIWAVE 

886 

88 

19.07% 

41.69%*** 

4.67x10'^% 

lUPUI  Remote 

731  videos,  205,538  images 

62 

NA 

NA 

NA 

Figure  33:  Summary  of  Iris  Recognition  Performance  for  Test  Datasets 


Results  are  shown  in  chart  form  in  Figure  34  and  Figure  35. 
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Figure  34:  Comparative  Failure  to  Proeess  Rates 
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Figure  35:  Comparative  Aeeuraey  Rates 


FRR  and  FAR  were  based  on  a  Hamming  distance  of  0.33  as  threshold  (the  default  setting).  By  comparison,  in  [1] 
Daugman  suggested  that  a  Hamming  distance  of  0.26  would  result  in  a  zero  FAR  in  a  large  dataset.  A  Hamming 
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distance  of  0.26  would  have  a  higher  FRR. 

The  resolution  of  the  iris  patterns  in  the  MBGC  dataset  are  about  150  pixels  across  the  iris,  which  is  much  lower 
than  the  expected  working  environment  of  the  commercialized  system.  This  accounts,  in  whole  or  part,  for  the  FRR 
(38.28%)  for  this  dataset.  Because  iris  patterns  in  dark  brown  eyes  are  hard  to  be  extracted  in  visible  wavelengths, 
the  FRR  in  lUPUI  dataset  is  high  (41.69%). 

The  ICE  dataset  [63]  has  high  accuracy  and  quality.  Its  images  were  acquired  using  a  commercial  NIR  iris  camera 
under  well  controlled  environment  with  good  illumination.  The  overall  recognition  accuracy  for  this  dataset  is  high 
with  very  low  FRR  and  FTPR.  A  small  number  of  bad  quality  images  with  high  occlusion  were  falsely  rejected.  In 
addition,  one  off-angle  image  in  the  ICE  dataset  has  greatly  affected  the  accuracy  as  Daugman  has  analyzed  in  [25]. 
There  is  a  very  small  FAR.  The  lowest  Hamming  distance  of  false  accepted  pair  is  0.3083. 

The  CASIA  datasets  [64]  had  relatively  low  quality.  Most  human  subjects  for  this  dataset  are  Asians  whose  eyes 
sometimes  are  small  and  eye  lashes  often  occludes  iris  patterns.  The  FRR  is  relatively  high,  as  many  images  have 
been  rejected  due  to  heavy  occlusion.  The  smallest  false  acceptance  Hamming  distance  for  this  dataset  is  0.3218. 

The  WVU  dataset’s  [65]  illumination  is  less  consistent  than  the  system  expects,  dramatically  affecting  its  accuracy. 
Some  images  even  have  iris  completely  covered  in  a  shadow.  0.3173  is  the  smallest  false  acceptance  Hamming 
distance  for  this  dataset. 

UBIRIS  [39]  is  a  color  iris  dataset.  Although  the  commercial  system  is  designed  to  work  on  NIR  images,  it 
performed  surprisingly  well  in  this  dataset.  Some  images  are  falsely  rejected  because  the  irises  are  too  dark  to  be 
viewed  in  the  visible  wavelengths.  In  addition,  some  images  are  very  blurry.  0.3149  is  the  smallest  false  acceptance 
hamming  distance  in  this  dataset. 

MBGC  dataset  [66]  didn’t  perform  well,  as  the  commercial  iris  recognition  algorithm  used  in  the  evaluation  is 
designed  to  perform  iris  recognition  using  NIR  face  images.  Extracted  irises  were  approximately  150  pixels  in 
diameter,  much  lower  than  the  expected  working  environment  of  the  commercialized  system.  In  addition,  some 
irises  are  not  fully  contained  in  the  image,  and  one  image  shown  in  Figure  3 1  is  even  partially  covered  by  eye 
glasses.  This  explains  the  dataset’s  high  FRR  and  FTPR.  It  is  reported  in  Matey’s  paper  [5],  that  with  proper 
segmentation,  Daugman’ s  recognition  method  can  work  very  well  in  MBGC  dataset.  lOM  systems  are  capable  of 
adequate  performance  using  MBGC-style  images. 

The  lUPUI  multispectral  dataset  has  very  high  resolution  images  and  had  to  be  downsized  to  work  in  the  system. 

The  downsizing  process  could  distort  the  iris  patterns,  which  could  account  for  the  high  FRR.  Since  we  used  the 
images  from  green,  yellow,  and  NIR  wavelengths,  some  dark  brown  iris  images  are  too  dark  to  be  used  for 
recognition,  potentially  contributing  to  high  FRR.  Even  though  there  are  several  false  matches,  0.3151  is  the 
smallest  false  acceptance  Hamming  distance  in  this  dataset.  As  anticipated,  the  test  system  was  unable  to  process  the 
lUPUI  Remote  dataset  due  to  the  low  resolution  and  non-frontal  capture  of  its  images. 

Cross-matching  of  iris  images  from  different  datasets  did  not  result  in  any  false  matches. 

The  following  conclusions  can  be  drawn  from  this  multi-dataset  evaluation  of  a  commercial  iris  recognition  system: 

•  Processing  and  matching  are  very  fast.  The  system  can  perform  iris  recognition  in  17.8ms  (including 
segmentation,  feature  extraction  and  1:1  matching). 

•  It  has  very  low  FAR  when  using  a  decision  threshold  (Hamming  Distance)  of  0.33.  As  Daugman  has  discussed 
in  [1],  for  large-scale  matching,  the  recommended  HD  is  0.26.  Such  a  threshold  would  have  resulted  in  a  0.00% 
FAR  and  higher  FRR  for  all  datasets. 

•  The  system  is  capable  of  processing  visible  wavelength  images,  assuming  that  iris  patterns  are  good  enough  for 
recognition. 

•  The  system  can  work  reasonably  well  with  regular  pupil  dilation. 

•  The  system  is  designed  to  reject  poor  quality  images  to  avoid  possible  false  acceptance. 

Areas  for  improvement  include  the  following: 
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•  The  system  is  unable  to  process  non-cooperative,  off-angle  iris  images. 

•  Since  the  commercialized  system  is  designed  for  images  acquired  from  a  specific,  paired  acquisition  system, 
preferences  in  iris  image  resolution  and  illumination  are  present.  Usually,  the  commercialized  system  can  work 
best  with  iris  images  with  resolution  about  200  pixels  across  the  iris.  However,  for  lower  resolution  or  higher 
resolution  images,  if  resolution  can  be  adjusted  properly  without  deforming  iris  patterns,  the  system  can  also 
perform  accurate  iris  recognition. 

•  Recognition  accuracy  can  be  affected  dramatically  by  poor  illumination  condition  or  poor  contrast. 

•  Recognition  accuracy  can  be  affected  dramatically  by  motion  blur. 

•  The  commercialized  system  would  not  work  with  dark  color  iris  images  in  visible  wavelength  due  to  the  lack  of 
recognizable  iris  patterns. 

•  Hamming  Distances  are  not  necessarily  symmetric.  When  used  for  enrollment,  lower-quality  images  resulted  in 
higher  (worse)  HDs. 

5.3  Impact  of  Compression  on  Iris  Recognition 

5.3.1  Background 

The  goal  in  the  section  is  to  study  how  the  state-of-the  art  iris  recognition  system  performs  when  the  image  of  the 
iris  has  been  compressed.  There  are  two  topics  in  iris  image  compression:  the  consequences  of  iris  pattern 
compression  to  the  iris  recognition  accuracy  and  how  to  achieve  the  highest  possible  compression  without 
compromising  iris  recognition  accuracy.  In  this  section,  we  first  study  how  iris  pattern  compression  would  affect  iris 
recognition  accuracy  and  how  to  measure  image  quality.  Then  we  examined  how  to  achieve  high  compression  rate 
which  is  possible  by  reserving  as  much  information  as  possible  in  the  iris  pattern  area. 

Data  compression  is  beginning  to  play  a  part  in  the  use  of  iris  recognition  systems.  In  the  field  applications  using 
handheld  iris  recognition  devices  often  use  wireless  communication  to  connect  to  the  central  server  for  identification 
and  verification.  Law  enforcement  agencies,  such  as  the  Border  Patrol,  the  Coast  Guard,  and  the  Armed  Forces,  are 
using  portable  wireless  iris  recognition  devices.  While  it  will  be  ideal  to  have  wide  bandwidth  for  transmission  in 
real-life  applications,  it  often  needs  to  transmit  captured  images  or  templates  over  a  narrow-bandwidth 
communication  channel.  In  this  case,  minimizing  the  amount  of  data  to  transmit  (which  is  possible  through 
compression)  minimizes  the  time  to  transmit,  and  saves  energy.  There  are  other  iris  applications  that  require  a  full- 
resolution  iris  image  to  be  carried  on  a  smart  card,  but  require  a  small  fixed  data  storage  size.  In  some  cases  (such  as 
surveillance  applications),  the  images  acquired  have  already  been  compressed.  If  the  image  has  been  compressed  it 
is  important  to  know  how  much  it  has  been  compressed  and  to  what  degree  the  compression  will  affect  the 
recognition  accuracy. 

5.3.2  Compression  and  Iris  Recognition  Accuracy 

Ives  et.  al.  [67]  and  Du  et.  al  [46]  studied  how  compression  in  iris  images  would  affect  compression  accuracy.  JPEG 
2000  was  used  on  the  ICE  dataset  [68].  JPEG  2000  is  a  state  of  the  art  compression  method;  it  uses  a  discrete 
wavelet  transform  to  compress  an  image.  JPEG  2000  is  published  by  the  Joint  Photographic  Experts  Group.  For  this 
paper  the  default  parameters  and  options  of  the  JasPer  implantation  of  JPEG  2000  were  used  [69].  In  this  way  the 
compression  rate  was  uniform  across  the  entire  image  and  no  special  priority  was  given  to  the  iris  area. 


Original  (A)  25:1  (B)  50:1  (C)  75:1  (D) 


Figure  36:  Sample  image  at  various  levels  of  eompression  [67].. 


100:1  (E) 
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Figure  36  shows  the  original  image  and  4  different  compression  rates.  As  the  compression  is  increased  some  of  the 
finer  details  get  lost  and  artificial  patterns  get  introduced  into  the  image.  Both  of  these  factors  will  affect  image 
quality  and  recognition  accuracy. 


Compared  Databases 

Minimum 

HD 

Mean 

HD 

Maximum 

HD 

Original  versus  Original 

0.0025 

0.1535 

0.4795 

Original  versus  25: 1 

0.0000 

0.1514 

0.4818 

Original  versus  50: 1 

0.0000 

0.1685 

0.4705 

Original  versus  75: 1 

0.0008 

0.1912 

0.4742 

Original  versus  100:1 

0.0035 

0.2109 

0.4802 

Figure  37:  Summary  of  Iris  Recognition  Performance  for  Test  Datasets 


Figure  37  shows  the  genuine  match  results  at  various  levels  of  compression.  Lower  HD  means  the  images  are  a 
better  genuine  match.  The  data  consists  of  2953  images,  1425  were  right  eyes  of  124  different  people  and  1528  were 
left  eyes  from  120  different  people.  There  is  a  slight  improvement  in  Hamming  distance  in  the  min  and  the  max  for 
the  first  three  levels  of  compression  and  there  is  an  improvement  for  the  first  level  of  compression  for  the  mean.  It  is 
expected  that  the  Hamming  distance  would  increase  as  the  compression  increased  because  data  is  lost  and  the 
genuine  matches  become  less  similar.  The  decrease  in  Hamming  distance  is  probably  because  the  compression 
removed  some  noise  and/or  in  the  small  data  set  an  artificial  patterns  appeared  that  was  unique  for  a  particular  iris. 
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Original 
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1.470 
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2.020 

2.500 
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1.470 
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1.540 

1.770 

2.010 
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3.000 

Cr75 

2.020 

2.280 

2.420 

3.010 

3.350 
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2.500 

2.800 

3.000 

3.350 

4.450 

Figure  38:  Iris  Recognition  Cross-Matching  EER 


Above  are  cross-matching  results  Figure  38  is  equal  error  rate,  in  this  table  the  EER  increases  as  the  compression 
increase.  This  shows  that  the  compression  decreases  the  accuracy. 


Original 

FRR  at  FAR  =  0.001 

Cr25  Cr50  Cr75 
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Original 

0.022 

0.024 

0.028 

0.042 

0.057 

Cr25 

0.024 

0.030 

0.035 

0.049 

0.069 

Cr50 

0.028 

0.035 

0.044 

0.057 

0.075 

Cr75 

0.042 

0.049 

0.057 

0.079 

0.088 

CrlOO 

0.057 

0.069 

0.075 

0.088 

0.125 

Figure  39:  Iris  Recognition  FRR  at  FAR=  0.001. 

Figure  39  is  false  rejection  rate  at  false  acceptance  rate=0.001,  this  table  shows  a  decrease  in  FRR  every  time  that 
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compression  is  increased. 


FRR  at  FAR  = 
Original  Cr25 

0.0001 

Cr50 

Cr75 
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Original 

0.036 

0.043 

0.060 

0.087 
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Cr25 

0.043 

0.070 

0.088 

0.126 

0.149 

Cr50 

0.060 

0.088 

0.105 

0.134 

0.153 

Cr75 

0.087 

0.126 

0.134 

0.177 

0.170 

CrlOO 

0.106 

0.149 

0.153 

0.170 

0.223 

Figure  40:  Iris  Recognition  FRR  at  FAR  =  0.0001. 


Figure  40  is  false  rejection  rate  at  false  acceptance  at  0.0001.  This  table  shows  a  decrease  in  FRR  as  compression 
increase  in  all  but  one  instance.  The  100:1  compression  image  compared  to  the  75:1  image  preformed  worst  than  the 
75:1  compared  to  the  75:1.  The  FRR  is  very  close  0.177  for  the  75:1  to  75:1  and  0.170  for  the  100:1  to  75:1.  This 
result  is  likely  a  statistical  anomaly  because  it  was  very  small  and  it  only  occurred  in  this  one  test.  These  tables  also 
show  that  mean  HD  shouldn’t  be  the  only  measure  used  to  evaluate  the  quality  of  an  image  because  these  tables 
show  that  accuracy  is  greatly  impacted  by  compression. 

5.3.3  Compression  and  Iris  Image  Quality 

Poor  quality  image  can  affect  recognition  accuracy  because  they  do  not  have  enough  feature  information.  In  [70],  we 
proposed  the  feature  correlation  evaluation  based  method  to  measure  image  quality.  By  using  information  as  a 
measure,  it  can  not  only  describe  the  randomness  of  the  features,  but  also  generate  high-order  statistics  of  the  iris 
image  based  on  its  features  [70].  For  compressed  images,  the  artificial  patterns  introduced  by  the  compression 
generally  would  be  more  correlated  than  the  natural  iris  patterns.  That  means  there  would  be  less  difference  between 
adjacent  artificial  patterns.  Using  information  distance  as  a  measure,  we  can  measure  the  feature  quality.  The 
combination  of  occlusion  and  dilation  determines  the  amount  of  iris  patterns  available  in  matching,  and  is  also 
considered  in  the  proposed  quality  measure. 

Figure  41  shows  the  feature  correlation  measure  score  for  each  row  of  the  eye  in  Figure  36.  A  is  the  normal  image, 

B  is  the  25:1  compression,  C  is  50:1  compression,  D  is  75:1  compression,  E  is  100:1  compression.  It  shows  that  the 
FCM  decreases  as  the  compression  increases.  This  shows  that  feature  information  is  reduced  with  increasing  of 
compression,  which  results  in  lower  image  quality.  The  quality  scores  for  (A)  to  (E)  are  0.9975,  0.3784,  0.2660, 
0.2539  and  0.2008  respectively. 
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Figure  41:  Row-by-row  feature  eorrelation 

Figure  42  shows  the  mean  quality  score  decreases  with  increasing  of  compression  rate.  The  rate  of  decrease  is 
greater  at  lower  levels  of  compression.  This  means  that  the  rate  of  information  lose  is  greatest  for  the  first  stages  of 
compression. 
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Figure  42:  Mean  quality  seore  at  various  eompression  levels 


5.3.4  Region  of  Interest  Compression 
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A  regular  image  compression  scheme  could  affect  iris  recognition  accuracy  and  iris  image  quality  significantly.  In 
[71],  Daugman  designed  a  Region  of  Interest  based  iris  compression  method  to  achieve  better  compression  rate. 
Figure  43  shows  the  diagram  of  Daugma’s  compression  approach.  It  first  detects  the  iris  area  and  crop  the  images  to 
reduce  size.  Next  the  eyelid  and  eyelashes  are  replaced  with  a  gray  area  to  take  less  space  when  the  image  is 
compressed.  Finally  the  image  is  compressed  using  Region  of  Interest  (ROI)  approach.  See  Figure  44  for  examples. 


Figure  43:  The  diagram  of  Daugman's  eompression  approaeh  .. 


Figure  44:  From  left:  JPEG  compressed,  Isolated  JPEG,  and  JPEG2000^^ 


For  ROI-based  approach,  there  JPEG  and  JPEG  2000.  JPEG  2000  is  designed  to  allow  for  a  region  of  interest  to  be 
assigned  and  in  that  way  the  JPEG  2000  compresses  the  image  in  such  a  way  that  it  preserves  more  of  the  data  in  the 
ROI.  Figure  45  shows  the  comparison  of  the  Hamming  distance  using  ICE  dataset  left  eyes  (1425  images  from  124 
individuals).  The  total  compression  is  calculated  by  dividing  the  original  image  size  640x480  or  307.2  KB  by  the 
average  image  size  after  compression  using  Table  1  in  Ref  [71].  The  compression  parameter  QF  means  quality 
factor  CF  means  compression  factor.  HD  means  Hamming  Distance.  The  greater  increment  of  Hamming  Distance 
means  more  reduction  in  recognition  accuracy. 

Figure  46  illustrates  the  compression  rate  vs  hamming  distance  increase  using  Table  1  from[71].  These  results  are 
similar  to  the  findings  in  [67]  that  show  as  compression  increases  the  Hamming  distance  increases.  Using  cropping, 
RIO  and  JPEG  2000,  the  system  can  achieve  153.6:1  with  only  increasing  the  Hamming  distance  to  0.027.  And,  it 
has  been  shown  it  is  possible  to  compress  an  iris  image  180:1  with  an  increase  in  hamming  distance  of  only  0.035. 
An  increase  in  Hamming  distance  of  0.02  to  0.03  is  negligible[71]  and  this  show  that  it  possible  to  compress  an 
image  greatly  but  still  preserve  the  iris  information  if  the  image  is  compressed  after  the  iris  is  detected  and 
segmented.  On  the  other  hand  if  the  image  is  compressed  before  segmentation  a  100:1  compression  ratio  results  in  a 
greater  increase  in  hamming  distance.  The  increase  in  hamming  distance  is  0.057  between  the  original  to  original 
and  the  100:1  to  original.  This  shows  it  is  possible  to  store  an  iris  image  in  a  small  format  if  it  can  be  segmented 
first,  but  using  an  iris  image  that  comes  from  an  extremely  compressed  source  is  more  difficult,  because  the 
background  and  iris  are  given  the  same  priority  when  image  was  compressed. 


DRDC  CSS  CR  201 1-29 


Compression  Vs.  Hamming  Distance 
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Figure  45:  Hamming  Distances  as  a  Function  of  Compression 
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Figure  46:  Impact  of  Compression  of  Iris  Recognition  Accuracy 

5.4  Iris  Recognition  with  Contact  Lenses 

Contact  lenses  with  iris  patterns  printed  on  them  can  cause  errors  in  the  iris  recognition  system.  Daugman  has 
proposed  a  liveness  test  that  can  detects  if  the  image  has  a  fake  iris  pattem[3].  This  liveness  test  is  based  on  the 
frequency  domain  analysis  of  iris  patterns.  If  there  is  a  spike  of  high  energy  in  some  middle  or  high  frequency  range 
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then  it  means  that  there  is  a  dot  grid  pattern  caused  a  fake  iris. 

Baker  et  al  [72]  have  studied  the  effect  of  transparent  contact  lens  on  the  recognition  accuracy  of  several  iris 
recognition  systems.  Their  data  was  taken  in  the  same  studio  with  consistent  ambient  indoor  lighting.  They  visually 
inspected  all  the  images  and  reject  any  that  were  low  quality.  They  then  classified  the  contact-lens  wearing  subjects 
into  five  different  categories  based  on  a  visible  inspection  they  preformed  manually. 

•  Category  0  -  No  contact  lens 

•  Category  1  -  minimal  or  no  change  to  the  iris.  At  most  these  images  contain  a  faint  visible  edge. 

•  Category  2  -  images  contain  a  definite  circular  boundary  on  the  iris  area. 

•  Category  3  -  contains  images  which  the  lens  has  writing  on  the  lens,  the  lens  fits  improperly  causing  it  not  to 
lay  flat  on  iris,  or  the  lens  produces  an  artifact  greater  than  a  definite  ring  seen  in  Category  two. 

•  Category  4  -  contains  the  iris  images  where  the  subject  is  wearing  hard  contact  lenses.  Hard  contacts  produce  a 
very  noticeable  ring  and  severely  distort  the  area  they  cover. 

They  had  92  subjects  that  never  wore  contacts,  52  subjects  who  wore  the  same  type  of  contact  lenses  and  32  subjects 
who  wore  contacts  sometimes  and  didn’t  wear  contacts  for  other  test,  and  there  were  3  people  who  changed  the  type 
of  contacts  they  wore.  In  total  there  are  12,003  iris  images  from  87  contact-lens-wearing  subjects  and  9,697  non¬ 
contact-lens  wearing  subjects.  75%  of  the  subjects  were  between  19  and  25  years  and  they  have  an  ethnic 
breakdown  of  36  Asian,  6  Hispanics,  122  Caucasian,  and  7  subjects  no  reporting.  There  is  no  discussion  in  the  paper 
about  the  time  between  the  acquisitions  of  the  images,  however  they  do  mention  that  images  of  hard  contacts  visible 
look  different  if  they  are  acquired  in  different  sessions. 

All  the  images  that  failed  to  segment  correctly  in  the  IrisBEE  are  also  removed  from  the  dataset,  but  the  size  of  the 
other  datasets  seems  to  suggest  these  images  weren’t  all  removed  from  the  other  two  datasets.  The  data  shows  that  a 
different  number  of  images  were  used  for  each  system  in  different  test,  it  is  unclear  how  or  why  these  images  are 
removed,  particularly  the  OvO  comparison  of  the  CMU  datasets.  See  Figure  47  for  the  number  of  images  used. 
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Figure  47:  Number  of  iris  images  used  to  eompare  in  eaeh  method 

For  analysis  of  these  images,  this  test  used  three  different  recognition  systems.  The  first  was  a  modified  version  of 
the  IrisBEE  system  [68,  73].  The  second  was  the  commercial  VeriEye  Iris  SDK  from  Neurotechnology  [60].  The 
third  system  is  an  iris  recognition  by  Carnegie  Mellon  University  [3  6].  The  mean  element  is  an  average  of  the 
hamming  distance  for  the  IrisBEE  and  Carnegie  Mellon  system,  the  smaller  the  hamming  distance  the  closer  the 
images  are  to  being  a  match.  The  mean  element  for  the  VeriEye  system  is  match  store  that  VeriEye  provides.  This 
score  is  from  zero  to  3235  where  3235  is  an  identical  image  and  zero  is  not  a  match.  In  this  system  the  average 
match  score  is  about  400  and  the  non  match  score  is  zero.  It  should  also  be  noted  that  in  this  system  comparing 
image  1  to  image  2  is  not  the  same  as  comparing  image  2  to  image  1 .  So  Baker  et  al.  averaged  the  results  of  these 
two  different  permutations  in  every  case  and  reported  that  as  the  results. 
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Figure  48:  IrisBEE  system  results;  Mean  genuine  eross  matehing  HD,  Cross  matehing  ERR 


Figure  49:  IrisBEE  system  results;  Mean  genuine  eross  matehing  HD,  Cross  matehing  FRR 


Figure  48  shows  the  genuine  Hamming  distance,  the  average  score  for  matching  iris  from  the  same  iris.  Each 
category  is  compared  to  all  the  other  categories  where  data  is  available.  Category  0  shows  an  increase  as  it  is 
compared  to  worst  images.  This  trend  changes  inexplicitly  when  it  is  compared  to  Category  4  iris.  Category  1 
performs  similarly  when  compared  to  Category  1  or  Category  2  but  increases  greatly  when  compared  to  Category  3. 
Category  2  match  score  improves  when  it  matched  to  Category  3.  Category  3  self  matches  performs  about  the  same 
as  the  Category  3  to  Category  0.  Category  4  self  matches  performs  the  worst  of  any  in  this  area. 

Figure  49  the  FRR  for  all  the  different  cross  match  scores.  For  this  test  Hamming  distance  that  is  greater  than  0.32  is 
considered  to  be  a  false  rejection.  In  this  graph  the  Category  0  increases  when  compared  to  Category  1  and  slightly 
increases  when  compared  to  Category  2.  Then  Category  0  begins  to  decrease  when  it  is  compared  to  Category  3  and 
Category  4.  Category  1  decreases  slight  when  compared  to  Category  2  and  increases  when  compared  to  Category  3. 
The  FRR  of  Category  2  increase  dramatically  when  compared  to  Category  3.  This  is  unexpected  because  the 
Hamming  distance  for  this  test  decreased.  This  must  mean  that  there  are  some  strong  matches  that  help  give  this 
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group  a  strong  Hamming  distance.  This  might  also  have  to  do  with  the  fact  that  this  group  has  a  small  set  of  only  32. 
Category  3  self  matches  preformed  worst  than  the  category  0  or  1  but  better  then  the  category  2  match  to  Category 
3.  Category  4  has  a  very  high  FRR  of  over  40%. 


Figure  50:  VeriEye  system  results;  Mean  genuine  eross  matehing  HD,  Cross  matehing  FRR 


Figure  51:  VeriEye  system  results;  Mean  genuine  eross  matehing  HD,  Cross  matehing  FRR 


The  VeriEye  system  performed  the  best  on  this  test.  Figure  50  shows  the  mean  match  score  for  all  the  tests.  When 
comparing  Category  0  to  the  other  categories  the  match  score  decreases  as  the  level  of  contact  derogation  increases, 
until  category  4,  when  the  match  score  improves.  Category  1  decrease  continuously  as  the  level  of  contact 
derogation  increases.  Category  2  score  decrease  across  the  board  until  it  is  compared  to  Category  3,  then  a  marked 
improvement  is  observed.  The  Category  4  self  match  performs  worse  than  the  Category  4  verse  Category  1 .  As  seen 
in  Figure  5 1  the  FRR  of  Category  0  increases  until  Category  3,  and  then  it  becomes  zero  for  Category  3  and  4. 
Category  I’s  FRR  also  decreases  to  almost  zero  after  Category  0  comparison.  Category  2  follows  a  similar  trend  as 
Category  1 .  Category  3  comparison  also  a  very  low  FRR  until  it  is  compared  to  itself,  and  a  marked  increase  in  FRR 
is  observed.  The  FRR  of  Category  4  is  also  very  high  but  not  as  bad  as  the  Category  2  verse  Category  0  comparison. 
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Figure  52:  CMU  system  results;  Mean  genuine  eross  matehing  HD,  Cross  matehing  FRR 


Figure  53:  CMU  system  results;  Mean  genuine  eross  matehing  HD,  Cross  matehing  FRR 


Finally  the  mean  Hamming  distance  of  the  CMU  system  is  analyzed  is  Figure  52.  The  HD  of  Category  0  increase  as 
the  level  of  contact  derogation  is  increased.  Category  I’s  Hamming  distance  improves  as  against  Category  1  and  2, 
but  increase  as  compared  to  Category  3.  Category  2’s  HD  decrease  when  compared  to  category  1  but  increase  in  the 
self  comparison.  Category  3  increases  from  Category  0  to  Category  1  comparisons.  There  is  no  Hamming  distance 
listed  for  Category  2  verse  Category  3  in  this  test  only.  The  self  comparison  is  slightly  higher  than  the  category  0 
verse  Category  3. 

For  FRR  in  the  CMU  see  Figure  53,  A  false  rejection  for  this  system  is  a  Hamming  distance  greater  than  0.28,  this  is 
to  make  it  comparable  to  the  IrisBEE  system.  For  Category  0  the  FRR  increased  for  Category  1  then  decreased  until 
Category  4,  where  an  increase  was  noticed.  Category  1  FRR  increased  slight  from  Category  0  to  self  comparison. 
Then  the  FRR  decrease  slight  when  compared  to  Category  2,  then  a  large  increase  was  observed  in  Category  3. 
Category  2  increase  from  Category  0  and  Category  1  comparison,  but  decreased  in  the  self  comparison.  There  was  a 
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FRR  of  0%  listed  for  the  Category  2  verse  Category  3,  but  there  was  no  average  hamming  distance  listed  so  the 
validity  of  this  point  is  questionable.  Category  4  self  comparisons  performed  the  worst. 

The  contact  lenses  introduce  noise  onto  iris  images,  as  the  result,  the  ability  to  match  the  iris  decreases.  Their  data 
shows  that  the  intra-category  match  score  always  got  worst  as  the  level  of  the  contact  interference  increase  in  all  the 
system.  The  intra-category  matches  all  have  relatively  large  dataset  this  seems  to  be  a  reasonable  statement. 

Figure  54  has  the  intra-category  FRR  for  all  the  systems,  all  the  data  points  except  for  one  (CMU  Category  2)  are 
increasing.  They  went  on  to  say  that  to  improve  this  enrolling  or  testing  without  a  contact  will  improve  this.  The 
data  shows  that  for  Category  4  verse  Category  0  always  outperforms  Category  4  self  match  dramatically  and  in  all 
systems.  The  data  set  for  the  Category  0  verse  4  is  comparatively  small,  only  412  images,  and  it  is  also  unclear  how 
many  iris  were  used  in  this  and  all  other  tests.  So  they  might  not  have  enough  data  to  say  this  with  certainty.  The 
other  cross  match  scores  generally  don’t  follow  this  trend,  they  seem  to  increase  and  decrease  randomly  as  the  level 
of  contact  interference  changes.  This  might  be  because  the  cross  match  scores  all  have  smaller  image  sets. 
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Figure  54:  FRR  vs.  category 


The  false  acceptance  rate  caused  by  non  cosmetic  prescription  lenses  was  not  discussed  in  depth  in  this  paper.  They 
show  some  ROC  curves  and  false  match  score  distribution  graphs  but  nothing  more  than  that.  For  the  CMU  and 
VeriEye  system  these  graphs  show  almost  no  change  as  contacts  are  added,  but  the  IrisBEE  shows  a  definite 
increase  in  FAR  when  comparing  Category  4  images. 


5.5  Iris  Recognition  and  Eye  Disease 

As  a  greater  number  of  people  use  iris  recognition  systems  people  the  likelihood  of  encountering  people  with  eye 
disease  increases.  For  this  reason  it  is  important  to  examine  how  eye  diseases  affect  the  recognition  accuracy  of  iris 
recognition  systems.  Aslam  et  al.  [74]  are  only  researchers  to  study  this.  In  this  experiment  pictures  of  diseased  iris 
were  taken  and  then  compared  to  an  image  taken  after  the  iris  had  been  treated.  The  test  consists  of  data  from  54 
individuals.  To  obtain  the  image  a  HI 00  Iris  Guard  portable  tripod-mounted  iris  camera  was  to  take  a  high 
resolution  image  under  controlled  illumination. 

To  compare  the  images  Aslam  used  Daugmans’s  algorithms  to  process  the  images  and  find  the  Hamming  Distance 
between  the  before  and  after  treatment  image.  In  this  test  any  Hamming  distance  greater  than  0.33  is  considered  to 
not  match.  There  are  five  eyes  that  changed  enough  to  make  the  Hamming  distance  greater  than  0.33.  In  all  five 
cases  these  are  cases  of  anterior  uveitis.  Three  of  these  are  posterior  synechiae  (stuck-down  iris  causing  pupil 
distortion)  as  shown  in  Figure  55.  None  of  the  other  diseases  caused  a  significant  Hamming  distance  increase.  Eyes 
that  have  had  laser  iridotomies  and  that  had  been  pharmacologically  constricted  were  correctly  identified.  Even  an 
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eye  with  large  inferior  coloboma  (developmental  iris  defect)  was  able  to  be  identified  with  the  Daugman  algorithm. 
This  suggests  that  even  considerable  iris  abnormalities  don’t  cause  a  false  rejection.  None  of  the  iris  with  corneal 
disease  were  falsely  rejected,  this  includes  cases  where  corneal  opacities  limited  the  full  iris  feature  view.  The 
reason  corneal  opacities  didn’t  affect  the  iris  identification  is  that  the  NIR  light  used  by  the  camera  was  less 
attenuated  by  opacities. 


Figure  55:  Example  of  iris  pattern  ehange  before  and  after  treatment  for  Syneehiae  [74] 
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Figure  56:  The  average  Hamming  distanee  for  eaeh  eye  disease. 

Figure  56  shows  the  hamming  distance  for  each  of  the  different  eye  diseases  and  the  control  eyes.  This  data 
clearly  shows  that  the  only  significant  increase  in  Hamming  distance  is  caused  by  anterior  uveitis. 

5.6  Next  Generation  Iris  Recognition  Systems 

5.6.1  Video-based  Non-cooperative  Iris  Recognition 

As  iris  recognition  technologies  continues  to  mature,  it  will  gain  the  ability  to  acquire  an  image  without  the  end  user 
even  knowing.  This  will  make  iris  recognition  a  great  way  to  verify  people  because  it  will  cause  no  extra  burden  for 
the  user.  This  technology  also  has  great  potential  for  finding  people  of  interest,  because  a  non-cooperative  iris 
recognition  system  can  identify  people  without  the  making  the  person  aware  they  are  being  indentified.  This 
application  is  particularly  valuable  for  security  at  airport,  borders  or  any  other  any  public  place. 

Most  existing  iris  recognition  methods/systems  used  individual  image  for  recognition.  Some  of  them  may  use  a  few 
image  frames  for  recognition  and  select  the  best  recognition  result  to  represent  the  matching  result.  Under  non- 
cooperative  situation,  iris  image  quality  is  often  low.  Using  single  image  for  recognition  may  not  achieve  good 
recognition  result. 
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Figure  57:  The  diagram  of  the  video-based  non-eooperative  iris  reeognition  system. 


In  [24],  Du  et  al  proposed  a  video-based  non-cooperative  iris  segmentation  method  that  can  quickly  filter  poor 
quality  images  and  use  coarse  to  fine  approaches  to  perform  accurate  iris  segmentation.  In  [40],  Du  et  al  proposed 
using  that  uses  video-based  non-cooperative  iris  recognition  system  as  shown  in  Figure  57.  Unlike  traditional 
approach,  we  used  multiple  enrollment  images  to  match  with  input  video  image.  The  matching  score  between  the 
enrollment  image  and  the  individual  video  frame  is  fused  with  the  segmentation  evaluation  score.  After  majority 
vote,  if  the  best  matching  score  of  the  video  to  an  enrollment  iris  satisfies  the  matching  threshold,  the  matching  score 
will  be  the  matching  result  for  the  video  to  that  enrollment  eye.  Matching  results  from  the  video  sequence  to  other 
enrollment  eyes  will  be  set  to  1  (1  means  no-match).  If  even  the  highest  matching  score  does  not  satisfy  the 
matching  threshold,  this  video  will  not  be  matched  to  any  eye.  The  result  is  FAR  =  0  and  HER  =  0  for  all  thresholds 
since  only  one  or  zero  matching  scores  are  retained  for  each  video.  73  videos  (about  24.5%  of  the  videos)  were  not 
recognized  since  some  videos  could  not  generate  satisfactory  matching  results.  For  the  rest  of  the  videos,  there  is 
100%  recognition  accuracy  (0%  FAR  at  0%  FRR).  The  results  show  that  100%  accuracy  can  be  obtained  using 
multiple  enrollment  images,  video  sequences  of  an  iris,  and  fusion  of  matching  scores;  even  in  a  non-cooperative  iris 
dataset. 


Enrollment  Database 


M  Similarity 
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Near  lnfrared(  NIR)  Video 

Figure  58:  Matching  protocol  for  non-cooperative  iris  recognition 


As  shown  in  Figure  58,  future  non-cooperative  iris  recognition  systems  will  be  able  to  work  from  a  greater  distance. 
As  this  technology  continues  to  improve  it  even  has  the  potential  to  scan  large  groups  of  people  for  target 
individuals. 


5.6.2  Multiple  Wavelength  Based  Iris  Recognition 
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NIR  images  have  been  dominant  in  iris  identification  [75].  One  downside  to  NIR  light  is  it  requires  active  NIR 
illumination.  Visible  wavelength  iris  recognition  could  function  using  environmental  illumination.  In  addition, 
visible  wavelength  recognition  is  important  because  it  can  be  used  with  facial  recognition  for  multimodal 
biometrics.  In  the  future  regular  color  surveillance  camera  may  have  the  capability  to  perform  iris  recognition. 

Visible  wavelength  iris  recognition  has  its  own  challenges,  especially  it  is  challenging  for  dark  color  eyes  and 
remote  iris  recognition.  Proenca  has  discussed  several  issues  using  visible  wavelength  in  [75].  He  performed  iris 
segmentation  in  unconstrained  situation  acquired  at-a-distance  and  on-the-move.  Rather  than  segmenting  the  pupil 
first,  like  many  NIR  systems  do  Proenca  first  detected  the  sclera.  The  information  about  the  sclera  was  then  used  to 
find  the  iris.  The  data  is  processed  with  a  multilayered  feed-forward  neural  network  to  calculate  the  location  of  the 
sclera.  Proenca  then  calculated  how  many  sclera  pixels  are  left,  right,  above  and  below  each  non-sclera  pixel.  By 
looking  at  the  regions  that  have  a  significant  amount  sclera  to  the  left  and  right  it  is  possible  to  find  the  iris  region.  A 
polynomial  regression  on  the  polar  coordinate  system  was  then  run  in  order  to  segment  the  shape  of  the  iris.  To  find 
the  center  of  the  iris  was  found  by  summing  the  binary  image  of  the  iris  in  the  x  and  y  directions  and  calculating  the 
maximum.  From  there  the  image  is  put  into  polar  coordinates  and  a  polynomial  is  fit  to  the  data  points.  However  in 
[12],  Procenca  and  Alexandre  showed  that  the  iris  recognition  in  visible  wavelengths  are  still  very  challenging  and 
the  accuracy  is  much  lower  than  recognition  result  in  NIR  wavelengths,  especially  for  dark  color  eyes. 

Chou  et  al  proposed  to  use  RGB  and  NIR  images  together  for  iris  recognition  [9].  In  this  paper  a  four-spectral 
camera  was  used  to  capture  non  orthogonal  view  images.  The  first  step  in  their  process  was  segmenting  the  pupil.  A 
binary  threshold  was  then  performed  on  the  NIR  image.  Morphology  is  then  performed  on  the  binary  image  to  find 
areas  that  are  the  size  and  in  the  right  location.  Finally  an  ellipse  fitting  algorithm  was  used  to  find  the  boundary  of 
the  final  pupil  candidate.  An  affine  transformation  is  the  next  step  of  their  process.  This  process  turns  the  elliptical 
pupil  into  a  circle.  This  is  done  my  first  rotating  the  image  so  the  major  axis  of  the  ellipse  is  vertical  and  the  minor 
axis  is  horizontal.  Then  the  image  is  stretched  horizontally  so  the  minor  axis  is  as  long  as  the  major  axis.  Then  the 
image  is  rotated  back  to  its  original  orientation.  Chou  et  al  designed  the  Intelligent  Random  Sample  Consensus  or 
RANSAC  for  limbic  boundary  recognition.  This  method  uses  the  four-spectral  measurements  rather  than  the 
orientation  of  the  edge  filter,  like  tradition  intelligent  iris  segmentation  systems.  Like  most  iris  recognition  rubber 
sheet  method  is  used  to  normalize  the  mask  and  the  image  in  polar  coordinates.  For  encoding  the  image  edge-type 
descriptor  are  used.  Because  of  noise  that  could  be  in  the  image  only  the  vertical  edges  are  used  in  their  test.  The 
two  filters  they  used  are  derivative  of  Gaussian  and  Laplacian  of  Gaussian.  The  filters  are  then  convolved  with  the 
images  to  get  filtered  images.  If  the  filtered  images  have  intensity  greater  than  0  it  is  likely  that  there  is  a  ridge  at 
that  location.  For  matching  the  Daugman  hamming  distance  is  used. 

In  the  future,  multiple-wavelength  iris  recognition  may  attack  more  attention  and  can  work  with  multiple- 
wavelength  face  recognition  together  for  video  surveillance. 

5.6.3  Multimodal  Eye  Recognition 

Multimodal  biometrics  is  introduced  in  1998  to  combine  multiple  biometrics  to  do  positive  human  identification  in 
commercial  applications.  By  using  more  than  one  means  of  biometric  identification,  the  multimodal  biometric 
identifier  can  obtain  high  recognition  accuracy.  However,  choosing  reliable  biometric  identifiers  is  still  a  question  in 
multimodal  biometrics. 

Since  the  iris  patterns  of  dark  color  eyes  could  reveal  rich  and  complex  patterns  only  under  NIR  light,  if  the  NIR  iris 
image  be  obtained  in  long  distance,  the  accuracy  of  iris  recognition  will  drop  dramatically.  And  if  we  acquire  iris 
image  in  visible  light,  the  iris  patterns  of  dark  color  eyes  will  be  hardly  visible  under  visual  light. 

In  [76],  Thomas  et  al  showed  that  the  sclera,  the  white  and  opaque  outer  protective  covering  of  the  eye,  can  also  be 
used  in  human  identification.  They  designed  an  illumination-,  orientation-,  translation-,  and  deformation-invariant 
sclera  recognition  method.  In  [77],  Zhou  et  al.  proposed  a  multimodal  eye  recognition  method  by  fusing  sclera  and 
iris  recognition.  Figure  59  shows  the  process  of  multimodal  eye  recognition  system. 
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Figure  59:  Multimodal  eye  reeognition  system.. 
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For  iris  recognition,  a  typical  iris  recognition  method  can  be  used.  The  diagram  of  the  sclera  recognition  system  is 
shown  in  Figure  60,  which  includes  segmentation,  feature  extraction,  and  feature  matching. 
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Figure  60:  The  selera  reeognition  system 
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For  the  sclera  image  segmentation  process,  it  includes  image  downsampling,  conversion  to  the  HSV  color  space, 
estimation  of  the  sclera  region,  iris  and  eyelid  detection,  eyelid  and  iris  boundary  refinement,  mask  creation,  and 
mask  upsampling.  The  sclera  region  is  estimated  using  the  best  representation  between  two  color-based  techniques. 

For  the  sclera  vein  pattern  enhancement,  a  bank  of  multiple  directional  Gabor  filters  is  used  for  vascular  pattern 
enhancement.  For  the  sclera  feature  extraction,  a  line  descriptor  approach  is  proposed.  The  line  segments  are 
described  by  three  quantities  -  the  line  segments’  angle  to  some  reference  angle  at  the  pupil  center,  the  line 
segments’  distance  to  the  pupil  center,  and  the  dominant  angular  orientation  of  the  line  segment.  The  total  descriptor 
for  the  sclera  vein  structure  is  the  set  of  all  of  the  individual  segments’  descriptors. 

For  sclera  template  matching,  a  new  method  based  on  a  RANS AC-type  algorithm  is  developed  to  estimate  the  best- 
fit  parameters  for  registration  between  the  two  sclera  vascular  patterns. 

In  multimodal  biometrics  score  fusion  part,  since  matching  scores  of  iris  recognition  and  sclera  recognition  are  not 
in  the  same  range,  Min-Max  (MM)  method  is  applied  to  do  score  normalization.  After  that.  Kernel-based  matching 
score  fusion  of  iris  matching  score  and  sclera  matching  score  is  used  to  improve  the  performance  of  eye  recognition 
system.  The  experimental  results  show  that  the  proposed  eye  recognition  method  can  achieve  better  performance 
compared  to  unimodal  biometric,  and  the  accuracy  of  proposed  kernel-based  matching  score  fusion  method  is  higher 
than  other  traditional  methods. 


Other  methods  of  multimodal  biometrics  are  also  used,  such  as  fmgerprint/iris,  and  fmgerprint/iris/face.  In  the 
future,  more  kinds  of  multimodal  biometric  systems  will  be  designed/developed  to  achieve  high  recognition 
accuracy,  be  more  user  friendly,  and  provide  more  flexibility  in  applications. 

5.7  Conclusions  and  Acknowledgements 

In  this  section  we  preformed  thorough  literary  review  of  iris  segmentation,  feature  extraction,  template  generation, 
matching  and  quality  measures.  Then  the  study  of  the  state-of-the-art  system  was  conducted,  which  includes  a  test 
and  analysis  of  a  commercial  system  using  seven  datasets  and  a  summary  of  available  commercial  systems.  Some  of 
the  challenges  of  existing  systems  were  also  covered  in  this  section.  Finally,  new  trends  in  iris  recognition  were 
discussed. 
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We  investigated  the  vulnerabilities  of  state-of-the-art  iris  recognition  system  over  compression,  contact  lenses  and 
eye  diseases.  Then  we  discussed  non-cooperative  iris  recognition,  iris  recognition  in  the  visible  light  spectra, 
multiple  wavelength  iris  recognition  and  multimodal  biometric  approaches. 

In  conclusion,  iris  recognition  has  proven  to  be  an  accurate  and  reliable  biometric  method.  Our  extensive  study  of 
iris  recognition  systems  has  proven  current  systems  are  able  to  accurately  recognize  people  in  well  controlled 
situations.  Advances  in  iris  recognition  technology  will  allow  even  higher  accuracy  and  more  ruggedized  system.  By 
utilizing  different  spectra  of  light  and  multimodal  biometrics  there  will  be  a  great  number  of  applications  for 
biometrics.  Non-cooperative  iris  recognition  is  an  emerging  area  that  can  make  iris  recognition  more  user  friendly 
and  flexible,  and  make  it  even  possible  for  iris-based  video  surveillance. 

The  research  in  section  uses  the  ICE  2005  [68]  and  MBGC  2008  [66]  datasets  provided  by  NIST,  CASIA  2.0  and 
CASIA  3.0  iris  image  dataset  collected  by  the  Institute  of  Automation,  Chinese  Academy  of  Sciences  [69],  WVU 
dataset  provided  by  Dr.  A.  Ross  at  West  Virginia  University  [65],  and  UBIRIS  dataset  provided  by  the  Department 
of  Computer  Science  at  the  University  of  Beira  Interior  [39].  We  will  also  like  to  thank  the  people  who  contributed 
their  sclera  data  for  and  lUPUI  Multi-wavelength  and  lUPUI  remote  dataset. 
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6 


GenKey  Fingerprint-Based  PET  Performance  Evaluation 


6. 1  GenKey  T echnology 

GenKey,  a  leading  provider  of  biometric  PET  solution,  was  founded  in  2001  as  a  division  of  the  Norwegian 
Software  as  a  Service  (SaaS)  company  Meltwater.  The  company  has  developed  a  biocryptic  algorithm  that  bridges 
cryptology  with  biometrics.  This  patented  algorithm  converts  a  biometric  image  into  Public  Key  Infrastructure 
(PKI)-compatible  crypto  keys  that  are  irreversible  and  share  no  mathematical  relationship  with  the  biometric  sources 
they  represent.  Its  solutions,  branded  as  Biocryptic  ID  Management  Systems  (BIDS),  can  be  applied  to  a  variety  of 
contexts  including  education,  licensing  and  healthcare. 

The  GenKey  algorithm  provides  a  means  to  enroll  and  verify  individuals  based  on  biometric  information,  such  as  a 
fingerprint.  The  algorithm  offers  a  number  of  options  which  provide  tradeoffs  between  recognition  speed,  accuracy, 
and  biometric  privacy. 

6.1.1  GenKey  Feature  Template  vs.  ID  Key  Enrollments 

The  GenKey  algorithm  can  perform  two  types  of  enrollment.  In  feature  template  enrollment,  discriminating  features 
from  fingerprint  images  are  extracted  and  stored  as  the  individual’s  biometric  template.  The  feature  template  is 
stored  for  later  use  and  the  biometric  image  may  be  discarded. 

ID  Key  enrollment  also  extracts  discriminating  features  from  fingerprint  images,  but  converts  features  into  a 
numerical  value  which  represents  the  individual’s  biometric.  At  the  conclusion  of  an  ID  Key  enrollment,  the  ID  Key 
(numerical  value)  is  stored  and  the  biometric  image  and  feature  template  may  be  discarded.  This  type  of  enrollment 
is  focus  of  IBG’s  performance  evaluation. 

During  ID  Key  enrollment,  an  enrollee  in  provides  one  or  more  images  from  one  or  more  fingers.  These  sample 
fingerprint  images  are  first  converted  to  feature  templates  as  described  earlier.  The  enrollment  feature  templates 
from  all  fingers  to  be  enrolled  are  then  combined  into  a  single  digit  or  key  that  represents  the  set  of  provided 
enrollment  fingers.  This  ID  Key  can  then  be  stored  for  later  use  during  verification  or  identification,  as  show  in 
Figure  61. 


Feature 

Template 


Figure  61:  ID  Key  Generation  Proeess 

An  ID  Key  created  from  multiple  fingerprint  positions  is  referred  to  as  a  fusion  key.  Multiple  fingerprint  positions 
generally  provide  higher  verification  accuracy  than  a  single  fingerprint  position. 

During  verification,  the  individual  provides  one  or  more  enrolled  fingerprints.  The  GenKey  algorithm  analyzes  the 
images  and  creates  a  feature  template.  The  feature  template  and  ID  Key  are  provided  to  the  GenKey  algorithm  and  a 
binary  verification  decision  is  returned. 

For  ID  Keys,  balancing  the  tradeoff  between  FAR  and  FRR  is  accomplished  through  an  FAR  control  parameter 
provided  to  the  algorithm.  Keys  are  created  with  respect  to  a  particular  FAR  control  parameter.  The  value  of  the 
FAR  control  parameter  ranges  from  0.0  to  1.0;  lower  values  correspond  to  lower  FAR  (and  higher  FRR).  The  FAR 
control  parameter  is  only  applicable  at  enrollment.  As  a  result,  adjusting  the  FAR  threshold  will  not  impact  the  error 
characteristics  of  keys  that  have  already  been  enrolled. 


ID  Key 


Biometric 

Sample 
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In  keeping  with  the  Study’s  focus  on  the  commercial  viability  of  PETs  for  defence  applications,  IBG  tested  two 
GenKey  ID  Key  types: 

•  Standard  ID  Keys  offer  performance  near  the  performance  of  the  feature  template  enrollments. 

•  Flex  ID  Keys  tradeoff  key  size  and  accuracy. 

Various  Flex  ID  Key  sizes  can  be  configured  to  meet  the  storage  needs  of  the  application,  and  the  GenKey  library 
will  maximize  accuracy  for  the  given  key  size  automatically.  Flex  ID  Keys  provide  similar  accuracy  performance  as 
Standard  ID  Keys  but  in  a  slightly  smaller  footprint.  Flex  ID  keys  are  designed  to  maintain  reasonable  performance 
levels  even  at  substantially  reduced  key  sizes.  From  a  product  development  perspective,  with  the  introduction  of 
Flex  ID  Key,  GenKey  notes  the  Standard  ID  Key  will  be  phased  out  in  future  releases.  The  two  types  of  ID  Keys, 
along  with  GenKey ’s  traditional  feature-based  enrollment,  are  compared  in  Figure  62. 


Feature  Template  (not  a  PET) 

Standard  ID  Key  (PET) 

Flex  ID  Key  (PET) 

Accuracy 

Feature  enrollments  provide  the  most 
robust  performanee. 

Standard  ID  Keys  will 
perform  at  only  slightly 
degraded  error  rates  as 
eompared  to  feature 
templates. 

Flex  ID  Keys  provide  a 
range  of  aeeuraey 
performanee  options.  The 
largest  Flex  ID  Keys 
provide  aeeuraey  similar 
to  Standard  ID  Keys. 

Privacy 

Offers  some  privaey  proteetion  for  the 
fingerprint;  having  aeeess  to  a  feature 
template  does  not  provide  a  malieious 
user  with  eapability  to  reeonstruet  the 
original  fingerprint.  With  detailed 
knowledge  of  the  GenKey  feature 
template  ereation  proeess,  a  malieious 
user  eould  gain  aeeess  to  general 
information  about  the  fingerprint 
strueture. 

ID  Keys  offer  a  privaey  advantage  over  feature  template 
enrollment.  A  malieious  user  with  aeeess  to  the  ID  Key 
eannot  praetieally  regenerate  the  fingerprint  features  or 
extraet  any  detailed  information  about  the  fingerprint 
strueture.  The  teehnique  used  to  eonvert  the  feature 
template  to  a  key  is  analogous  to  a  eryptographie  one¬ 
way  funetion.  It  is  easy  to  eompute  an  ID  Key  from  a 
feature  template;  however,  reversing  this  proeess  is 
eomputationally  infeasible. 

Throughput 

Feature  enrollments  offer  the  fastest 
seareh  speeds.  The  GenKey  algorithm  is 
eapable  of  performing  millions  of  feature 
template  matehes  per  seeond  using 
ordinary  eomputer  hardware. 

While  not  as  fast  as  feature  template  matehing,  ID  Key 
verifieations  ean  also  be  performed  at  relatively  high 
speeds  using  ordinary  eomputer  hardware;  GenKey 
estimates  rates  of  hundreds  of  thousands  of  verifieations 
per  seeond.  Mateh  speed  inereases  (i.e.  beeomes  slower) 
as  strieter  mateh  thresholds  are  applied. 

Typical  Key  Size 

128-256  bytes 

64-128  bytes 

12-107  bytes 

Figure  62:  Standard  and  Flex  ID  Tradeoff 


The  performance  of  the  GenKey  algorithm  was  evaluated  using  the  following  ID  Key  configurations: 

•  Standard  ID 

•  Flex  ID  12  bytes 

•  Flex  ID  25  bytes 

•  Flex  ID  56  bytes 

•  Flex  ID  107  bytes 
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6.2  Methodology 

6.2.1  Test  Data 

IBG  has  a  collection  of  approximately  20,000  flat  fingerprint  images  (left  and  right  index,  middle,  and  thumb)  from 
1,200  subjects  collected  under  indoor  office  conditions.  Fingerprint  images  were  collected  through  a  500dpi  Cross 
Match  Verifier.  Each  subject  provided  two  samples  per  position  during  a  first  visit.  Additionally,  approximately  650 
of  the  1,200  subjects  provided  two  samples  per  position  during  a  second  visit  which  occurred  roughly  one  month 
after  the  first. 

Images  were  inspected  at  the  time  of  capture  for  quality,  but  no  automated  quality  checks  were  implemented. 
Therefore  data  quality  is  variable. 

In  addition  to  processing  through  the  GenKey  algorithm,  IBG  processed  the  same  fingerprint  dataset  through  a 
widely-adopted,  minutiae-based  fingerprint  algorithm  -Neuortechnology  VeriFinger  version  6.3.  The  VeriFinger 
processing  approach  was  equivalent  to  the  GenKey  approach  described  below.  Comparing  and  contrasting  GenKey 
results  with  VeriFinger  results  will  provide  a  general  frame  of  reference  for  validating  the  commercial  viability  of 
GenKey’ s  ID  Key  technology. 

6.2.2  Enrollment  Process 

Using  a  Software  Development  Kit  (SDK)  provided  by  GenKey,  IBG  developed  a  custom  application  that 
performed  feature  extraction,  template  creation,  and  ID  Key  creation.  First- visit  fingerprint  images  were  used  for 
enrollment  and  ID  Key  creation.  As  shown  in  Figure  63,  two  different  images  for  each  position  were  used  to  create  a 
generalized  enrollment.  This  increases  matching  accuracy  and  is  consistent  with  GenKey  usage  in  operational 
deployments. 


Visit  1  -  Left  Index 
Sample  1 


Visit  1  -  Left  Index 
Sample  2 


Visit  1  -  Right  Index 
Sample  1 

Visit  1  -  Right  Index 
Sample  2 


0010101001 


Figure  63:  Enrollment  Transaetion  Logie 


Both  index  fingerprints  had  to  enroll  in  order  for  an  enrollment  to  be  successful. 


RightWex 

ipiCey 
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6.2.3  Recognition  Process 


IBG  developed  a  custom  application  that  performed  bulk  matching.  Second-visit  fingerprint  images  were  used  for 
recognition  (i.e.  as  probe  images)  are  compared  against  first-visit  fingerprint  data. 


Visit  2 

Left  Index  - > 

Sample  1 


0010101001... 


Left  Ihdex 


Match  / 
No  Match 


Visit  2 

Left  Index  - > 

Sample  1  ^ 


Left  [hdex 


0010101001... 


Match/ 
No  Match 


Visit  2 

Right  Index  - > 

Sample  1  ^ 


Visit  2 

Right  Index  — 
Sample  2 


0010101001... 


Rightin'dex 


!P^I 


Match  / 
No  Match 


0010101001... 


Right'liidex 

I 


Match  / 
No  Match 


Transaction 

Decision 


Figure  64:  Recognition  Transaction  Logic 


As  shown  in  Figure  64,  verification  was  based  on  the  following  two-position  logic: 


Vwl£lcatloii(gti/  Si  ) 


ICSr  Z  9R  f]  Z  fl] 
It  Sr  Z  Sr  S]  S  ^1 


Where  a  match  is  denoted  by  ^  and  a  non-match  is  denoted  by  ^  . 


Sr  —  Right  Inds>3£  Oallei^ 

a  =  LeftlndesGaiM^TMuplate 

fir  =  Anms0 1,  Right  ^ttmipt  2] 

ai  ■  [L»’tt  'L  21 

If  any  match  occurred  between  a  sample  and  an  ID  Key,  the  transaction  was  declared  a  match.  If  all  samples  failed 
to  match  their  respective  ID  Keys,  the  transaction  was  declared  a  non-match.  All  comparisons  were  intra-position, 
meaning  that  (for  example)  index  fingerprints  were  never  compared  against  middle  fingers. 


Processing  volumes  (less  quality  failures  and  missing  positions)  as  shown  in  Figure  65. 


GenKey 


VeriFinger  6.N 
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Subjects 

650 

650 

VI  Samples 

2 

2 

V2  Samples 

2 

2 

Positions 

2 

2 

Genuine  comparisons 

456 

459 

Impostor  Comparisons 

550976 

560741 

Figure  65:  Fingerprint  Test  Parameters 


Metrics 

Based  on  collection  and  comparison  processes  described  above,  metrics  were  generated  as  shown  in  Figure  66 


Usability  Metrics 

Accuracy  Metrics 

•  Failure  to  Encode  Rate  (FTE) 

•  Failure  to  Acquire  Rate  (FTA) 

•  Processing  Time 

•  False  Match  Rate  (FMR) 

•  False  Non-Match  Rate  (FNMR) 

•  Matching  Error  Rates  by  Position 

•  Distribution  of  Errors  by  Subject 

Figure  66:  Fingerprint  Test  Metries 


6.3  Results 

6.3.1  Throughput 

The  most  relevant  timing  metric  for  GenKey  is  time  to  generate  a  feature  template  (i.e.  encoding  or  enrollment 

time).  At  operationally  relevant  security  levels,  GenKey  averaged  approximately  400ms  per  image.  In  a  1:1  system, 

this  process  time  can  be  considered  trivial. 

6.3.2  Enrollment  and  Encoding  Rates 

This  section  presents  results  for  enrollment  and  encoding  rates.  These  rates  can  be  discussed  at  the  image  level  and 

at  the  transaction  level. 

At  the  image  level: 

•  Failure-To-Enroll  Rate  (FTE)  is  the  proportion  of  enrollment  transactions  in  which  the  test  subject  failed  to 
enroll 

•  Failure-To- Acquire  Rate  (ETA)  is  the  proportion  of  recognition  transactions  in  which  the  test  subject  failure  to 
encode 

At  the  transaction  level: 

•  A  transactional  failure  to  enroll  occurred  if  zero  fingerprint  positions  were  able  to  generate  a  template  or  key 
during  enrollment 

•  A  transactional  failure  to  acquire  occurred  if  either  fingerprint  position  failed  recognition-phase  encoding  (in  a 
live-capture  system,  this  is  referred  to  as  acquisition) 
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Image-level  FTE  rates  are  shown  in  Figure  67. 


Enrollment  Attempts 

FTE  Count 

FTE  Rate 

VeriFinger  6.3 

2448 

42 

1.72% 

GenKey  ID  Key 

2448 

45 

1.84% 

Figure  67:  Comparative  Fingerprint  FTE 


Image-level  FTA  rates  are  shown  n  Figure  68. 


Recognition  Encoding 
Attempts 

FTA  Count 

FTA  Rate 

VeriFinger  6.3 

1841 

1 

0.05% 

GenKey  ID  Key 

1841 

66 

3.59% 

Figure  68:  Comparative  Fingerprint  FTA 


Results  show  that  GenKey  and  Verifmger  FTE  are  roughly  equivalent,  while  GenKey  FTA  is  substantially  higher 
than  VeriFinger  FTA.  This  underscores  the  concept  that  GenKey  is  predicated  on  the  use  of  high-quality  images 
whose  quality  is  validated  in  real  time  at  the  point  of  capture. 

6.3.3  Quality  of  Enrolled  Images 

Figure  69  shows  GenKey-generated  quality  values  for  encoded  images.  Quality  values  range  from  0-1  and  are 
binned  by  0.1  for  clarity.  Results  suggest  that  as  long  as  images  are  of  sufficient  quality  to  create  a  reference 
template,  that  GenKey  will  bin  the  image  as  high-quality. 


Fingerprint  Image  Quality 


0.0-  0.11-  0.21-  0.31-  0.41-  0.51-  0.61-  0.71-  0.81-  0.91- 

0.10  0.20  0.30  0.40  0.50  0.60  0.70  0.80  0.90  1.00 

Ouiility  Bin  (Higher  Valu^  =  Higher  Oiiaiity) 


Figure  69:  Quality  of  Encoded  Fingerprint  Images 
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Figure  69  shows  GenKey-generated  quality  values  for  encoded  images.  Quality  values  range  from  0-1  and  are 
binned  by  0.1  for  clarity.  Results  suggest  that  as  long  as  images  are  of  sufficient  quality  to  create  a  reference 
template,  that  GenKey  will  bin  the  image  as  high-quality. 


Quality  Level 


0.6-0.8 


0.4-0.6 


0.0-0.2 


0.8-1.0 


Figure  70:  Examples  of  Image  Quality  from  0.0  to  1.0 
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6.3.4  Accuracy  Rates 


Figure  71  presents  FNMR  at  specific  FMR  values.  Systems  are  frequently  evaluated  based  on  their  genuine  error 
rates  at  specific  impostor  error  rates.  Many  systems  are  configured  to  provide  0.10%  or  0.01%  FMR,  such  that  the 
likelihood  of  a  false  match  is  1  in  1000  or  1  in  10,000  (respectively).  Therefore  it  is  useful  to  examine  genuine  error 
rates  at  these  specific  impostor  error  rates.  Error  rates  presented  in  this  section  do  not  include  acquisition  failures 
(FTA  or  FTE). 


Genuine  Error  Rates  at  0.10%  FMR 

Genuine  Error  Rates  at  0.01%  FMR 

VeriFinger  6.N 

1.74% 

1.74% 

GenKey  Standard  ID  Key 

2.19% 

2.85% 

GenKey  Flex  ID  Key  107  Byte 

1.54% 

2.41% 

GenKey  Flex  ID  Key  56  Byte 

1.75% 

2.63% 

GenKey  Flex  ID  Key  25  Byte 

2.85% 

6.80% 

GenKey  Flex  ID  Key  12  Byte 

7.89% 

20.18% 

Figure  71:  FNMR  at  Vendor- Specified  FMR  Thresholds 


Figure  72  shows  GenKey  results  at  each  evaluated  threshold.  Values  in  bold,  in  the  range  of  Threshold  values  from 
0.30  to  0.50,  can  be  considered  operationally  relevant. 
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Figure  72:  GenKey  Matching  Accuracy  (Table) 
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Performance  in  the  following  section  is  rendered  through  results  tables  and  detection  error  tradeoff  (DET)  curves. 
The  range  of  thresholds  was  selected  based  on  the  incidence  of  observed  errors  and  on  consideration  of  operationally 
realistic  values.  DET  curves  plot  error  pairs  (e.g.  FNMR  and  FMR)  across  a  range  of  values.  Left-  and  lower-most 
DET  curves  indicate  lower  comparison  error  rates.  DET  curves  can  be  used  to  identify  the  point  at  which  one  wishes 
to  operate  one’s  system  -  e.g.  at  0.01%  FMR  or  1.00%  FNMR  -  and  estimate  the  corresponding  genuine  or  impostor 
error  rate  at  that  operating  point. 

While  DET  curves  will  ideally  be  smooth  through  the  full  range  of  performance,  at  the  right-  and  bottom-hand  side 
of  the  curve,  plots  may  become  ’’stepped”,  indicating  that  the  number  of  genuine  or  impostor  errors  at  these  points  is 
unchanged  while  the  counterpart  error  type  changes.  In  order  to  maintain  readability  and  to  focus  on  reasonable  or 
differentiated  performance  ranges,  the  DETs  below  show  error  rates  across  the  following  ranges: 

•  T-FNMR:  0.1%  to  10% 

•  T-FMR:  0.01%  to  10% 

False  non-match  rates  and  false  match  rates  are  calculated  by  dividing  the  number  of  errors  at  a  given  threshold  by 
the  total  number  of  genuine  and  impostor  comparisons  executed,  respectively.  The  total  number  of  genuine  and 
impostor  comparisons  executed  for  each  comparison  type  precedes  each  results  table.  In  many  operational 
deployments,  users  are  permitted  to  execute  multiple  attempts,  such  that  FNMR  is  lower  than  observed  in  single¬ 
attempt  tests.  If  the  Report  reader  were  to  focus  on  either  attempt-level  or  transactional  comparison  error  rates,  the 
latter  is  more  operationally  realistic. 

Figure  73  shows  the  same  GenKey  matching  results  in  chart  form,  and  also  adds  results  for  Neurotechnology 
VeriFinger. 
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Figure  73:  GenKey  Matching  Accuracy  (DET) 
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6.3.5 


False  Match  Rates  by  Subject 


For  many  biometric  systems,  certain  subjects  encounter  higher  false  match  rates  than  others.  IBG  analyzed  the 
distribution  of  false  matches  across  subjects.  Subject-specific  false  match  rates  (aggregated  across  all  evaluated  ID 
Key  types  and  sizes,  and  measured  at  a  typical  threshold  of  0.45)  ranged  from  as  high  as  4.04%  and  as  low  as 
0.00%.  The  ten  Test  Subjects  with  the  highest  false  match  rates  are  shown  in  Figure  74.  While  false  match  rates 
generally  decline  as  key  sizes  increase,  in  some  cases  subjects  encountered  higher  false  match  rates  at  larger  key 
sizes.  For  example,  251  of  457  subjects  encountered  higher  false  match  rates  at  an  ID  Key  size  of  56  bytes  than  at  an 
ID  Key  size  of  25  bytes. 
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Figure  74:  Test  Subjeets  with  Highest  Aggregated  False  Mateh  Rates 


The  distribution  of  false  match  rates  across  all  Test  Subjects  is  shown  in  Figure  75. 


4.50% 


rz 

QC 


Aggregate  False  Match  Rates  by  Subject 


Test  Subjects  ■ 


Figure  75:  Test  Subjeets  with  Highest  Aggregated  False  Mateh  Rates 
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Annex  A  Review  of  Commercial  PET  Techniques 


A.l  Hitachi,  Ltd. 

Hitachi,  Ltd.,  Systems  Development  Laboratory  is  investing  in  the  research  and  development  of  cancelable 
biometric  systems.  Hirata  and  Takahashi  (2009)  proposed  a  method  that  uses  correlation-invariant  random  filtering. 
The  method  performed  accurately  in  empirical  tests  on  fingerprint  and  finger  vein  verification  applications.  It  is 
feasible  that  this  protocol  was  integrated  with  VeinID,  which  is  reportedly  capable  of  producing  encrypted  and 
cancelable  biometrics. 

VeinID 

VeinID  is  the  Hitachi’s  premier  finger  vein  sensing  product.  In  a  presentation  by  a  researcher  at  the  Systems 
Development  Lab,  VeinID  has  been  integrated  with  systems  compliant  with  international  standard  ITU-T  X.I088, 
which  describes  standard  methods  for  biometric  template  protection.  According  to  the  presenter,  Hitachi  deployed 
VeinID  to  authenticate  users  in  a  Japanese  cloud  computing  service.  For  each  transaction  the  user  presents  a  finger 
to  a  vein  sensing  device.  Vascular  patterns  are  extracted  and  transformed  by  a  secret  parameter.  Templates  are 
matched  in  the  encrypted  domain.  A  template  can  be  cancelled  by  reenrolling  a  finger  vein  pattern  with  a  new  secret 
parameter.  Upon  reenrolling  a  template,  the  vascular  pattern  is  encrypted  twice:  once  by  the  old  parameter  and  once 
by  the  new  parameter.  The  difference  value  between  these  is  sent  to  the  server,  where  the  old  template  is  compared 
with  the  difference  value.  If  there  is  a  match,  the  new  template  is  stored  in  the  dataset. 

Hitachi  partnered  with  Medibase  to  develop  BASEmetric,  an  access  control  system  that  is  intended  to  verify  and 
identify  patients  in  health  care  systems.  The  system  uses  VeinID  to  capture  and  process  finger  vein  images.  A 
whitepaper  of  the  system  claims  that  it  “retains  only  a  mathematical  code  for  identification  purposes.  The  actual 
finger  vein  itself  is  not  stored.  The  mathematical  code  that  is  retained  is  not  useful  to  any  entity  outside  the 
immediate  healthcare  system.”  A  press  release  published  in  June  2010  reported  that  BASEmetric  had  been  deployed 
at  two  hospitals  in  an  Ohio  health  system.  The  publication  touts  the  privacy-preserving  characteristics  of  the  system. 

Further  Reading 

Hirata,  Shinji.  2009.  “Cancelable  Biometrics  with  Perfect  Secrecy  for  Correlation-Based  Matching.”  Hitachi,  Ltd., 
Systems  Development  Laboratory,  ’’http://www.hitachi.com/rd/sdl/conf/2009/icb/index.html. 

Isobe,  Yoshiaki.  2010.  “Telebiometrics,  and  Applications  in  Japan.”ITU-T  Workshop  on  Addressing  Security 
Challenges  on  a  Global  Scale.  http://www.itu.int/dmspub/itu-t/oth/06/35/T063500000200524PDFE.pdf. 

Hitachi  America,  Ltd.  2010.  “Hitachi  America,  Ltd  And  Medibase  Solutions,  Inc  Deploy  Finger  Vein  Biometric 
Solution  At  Health  Care  System  In  Ohio.”  http://www.hitachi.us/about/press/details/063020I02.html. 

Medibase.  “BASEmetric:  Accurate  Biometric  Identification  of  Returning  Patients.” 
http://www.medibase.com/pdf/BASEmetric.pdf 

A.2  Mitsubishi  Electric  Research  Laboratories  (MERL) 

MERE  began  investing  in  the  research  and  development  of  biometric  template  protection  algorithms  circa  2005.  Its 
researchers  pioneered  the  development  of  syndrome  coding  methods  that  employ  local  aggregation  to  generate 
binary  feature  vectors.  The  company  was  the  assignee  to  a  patent  that  laid  claim  to  a  method  of  biometric  template 
protection  by  way  of  syndrome  coding. 

A.3  Securics,  Inc. 

Securics,  Inc.  sells  products  and  integrates  systems  using  the  biotoken  method  developed  by 

Boult  et  al.  (2007).  The  company  developed  an  application  for  PayPal.  It  integrates  a  biometric  key  infrastructure 

based  on  Biotope.  Fingerprint  data,  transactional  data,  and  multiple  keys  are  used  to  produce  private  tokens  that 
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protect  privacy  and  security  in  electronic  commerce.  After  enrollment,  users  need  only  to  present  their  fingerprint  to 
confirm  a  transaction.  The  fingerprint  image  is  never  stored  or  transmitted.  The  identity  verification  process  is 
asymmetric. 

A.4  TUBITAK-UEKAE 

The  National  Research  Institute  of  Electronics  and  Cryptology  (TUBITAK-UEKAE)  is  deploying  a  biometric  civil 
identification  system  for  the  Electronic  Identity  Authentication  and  Management  System  in  Turkey.  The  project  is 
expected  to  be  complete  in  2013.  The  new  system  will  feature  smart  cards  that  store  fingerprint  or  finger  vein  data  of 
the  card  owner.  The  institute  is  conducting  joint  studies  with  Hitachi-Omron  to  integrate  finger  vein  recognition  into 
the  passport  system.  A  presentation  by  lead  developer  Alper  Kanak  describes  the  template  protection  process. 

During  enrollment  a  biometric  input  is  captured  and  preprocessed.  Features  are  extracted  and  scrambled  with  chaff 
data  generated  by  a  “hardware-based  truly  random  number  generator.”  Genuine  and  chaff  points  are  represented  as 
triplets  where  y  are  the  coordinates  of  the  minutiae  points  and  ^  is  the  angle  of  the  minutiae  point.  The 

hardened  template  is  encrypted  with  a  private  key  and  stored  on  the  EEPROM  of  the  smart  card,  and  nowhere  else. 

In  a  demonstrative  presentation  of  the  system  the  developers  reported  to  have  achieve  1.37%  EER.  Superior  results 
were  reported  in  Kanak  and  Sogukpinar  (2007),  which  achieved  0.0%  ERR  at  0.1%  FAR. 
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Annex  B  Patent  Reviews 


B.l  Bjorn  (2000) 

Assignee:  DigitalPersona,  Inc. 

Bjorn  patented  a  method  and  apparatus  for  generating  cryptographic  keys  and  digital  certificates  using  fingerprint 
feature  data.  This  publication  was  among  the  first  in  both  academic  and  commercial  discourses  to  propose  the  use  of 
biometrics  in  the  key  generation  process.  The  proposed  method  begins  with  the  user  presenting  a  fingerprint  image 
from  which  features  are  extracted  and  encoded  onto  a  template.  The  template  is  hashed  to  create  a  cryptographic  key 
that  is  stored  on  a  dataset.  In  a  second  proposed  variation,  additional  features  are  added  to  the  template  prior  to 
hashing  it.  In  a  third  proposed  variation,  “ghosf  ’  features  are  added  to  the  template  prior  to  hashing  it.  In  the  digital 
certificate  variation,  the  user  submits  a  fingerprint  template  to  a  certifying  authority  (CA).  The  CA  generates  a 
digital  certificate  that  includes  the  template  data  and  signs  the  certificate  with  a  private  key.  The  certificate  is 
returned  to  the  user,  who  decrypts  the  certificate  with  the  CA’s  public  key.  The  user  retrieves  the  public  key  and 
fingerprint  template  from  the  certificate.  The  user  will  be  able  to  decrypt  a  protected  file  if  the  public  key  decrypts 
the  file  and  the  fingerprint  matches  the  template. 

B.2  Bolle  et  al.  (2004) 

Assignee:  IBM  Corporation 

Bolle  et  al.  were  among  the  first  to  patent  a  cancelable  biometric  authentication  system  and  method.  The  proposed 
invention  was  intended  to  fortify  biometric  templates  against  unauthorized  dissemination  or  theft,  which  would 
otherwise  permanently  compromise  the  identities  of  their  genuine  owners.  The  principal  claim  of  the  invention  was 
the  use  of  parameterized,  noninvertible  transforms  to  distort  an  acquired  image  or  set  of  features  into  an  encrypted 
template  that  cannot  feasibly  be  reconstructed  into  the  original  biometric.  They  extend  their  claim  where:  (a)  the 
biometric  modality  includes  a  fingerprint,  face,  hand,  iris,  blood  vessel  pattern,  vocalization,  or  signature;  (b)  the 
distortions  are  applied  to  an  orthogonal  Cartesian  grid  or  a  circular  polar-coordinate  grid;  (c)  the  distortion  process  is 
of  a  geometric,  quantized  or  block-scrambling  nature;  (d)  the  biometric  features  distorted  include  fingerprint 
minutiae,  location  of  facial  features,  iridial  texture,  formant  frequencies  and  derivatives  of  a  speech  signal,  and  joint 
lengths  and  widths  of  a  hand;  (e)  the  matching  process  incorporates  multiple  identifiers.  In  sum  the  patent  laid  claim 
to  most  of  the  fundamental  methods  that  would  be  used  by  the  researchers  whose  approaches  to  cancelable 
biometrics  are  reviewed  in  this  report. 

B.3  Davida  and  Frankel  (2010) 

Davida  and  Frankel  patented  a  system  and  method  for  preserving  privacy  in  biometric  authentication  and 
identification  systems  where  the  biometric  is  not  stored  on  a  dataset  and  matching  is  conducted  offline  on  the  client 
machine.  The  inventors  note  that  the  proposed  system  could  be  extended  to  online  systems.  On  the  client  machine, 
only  an  “identity  verification  template”  (IVT)  is  stored.  The  bulk  of  the  patent  describes  a  system  for  storing  and 
matching  biometric  templates  in  a  physically  and  logically  secure  location.  Section  3.2  describes  the  systemic  design 
of  cancelable,  multifactor  biometric  key  generation. 

B.4  Chang  et  al.  (2010) 

Assignee:  Industrial  Technology  Research  Institute 

Chang  et  al.  patented  a  system  and  method  for  generating  cryptographic  keys  from  biometric  data  by  way  of  feature 
transformation.  Each  user  possesses  a  unique  transform  unit  that  can  be  reissued  in  the  event  that  the  protected 
template  is  compromised.  The  inventors  mentioned  that  linear  discriminant  analysis  produces  vectors  with  high 
interclass  variability  and  low  intraclass  variability.  Thus  in  a  description  of  the  preferred  embodiment  they  explained 


They  filed  the  patent  application  in  June,  2000,  which  predates  almost  all  of  the  articles  reviewed  in  this  report. 
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how  to  use  cascaded  linear  discriminant  analysis,  an  iterative  series  of  linear  discriminant  analyses,  to  map  a 
biometric  feature  signal  onto  a  projection  vector.  The  optimal  projection  vector  can  be  derived  such  that 


where  Sw'^=0.5(Sa+  St),  in  which  S_a  and  S_t  are  the  covariance  matrices  of  the  features  of  the  genuine  and  imposter 
users  respectively,  and  m_aand  m_tare  the  mean  of  biometric  features  of  the  authenticated  and  imposter  users 
respectively.  This  equation  projects  high-dimensional  biometric  features  onto  a  one-dimensional  feature  space. 
Iterating  the  equation  M  times  produces  M  projection  vectors  to  transform  N-dimensional  biometric  features  into  M- 
dimensional  feature  signals.  This  process  maximizes  the  distance  between  the  mean  samples  of  an  authenticated  user 
and  imposters,  making  each  protected  template  maximally  unique  relative  to  one  another. 

A  key  generation  unit  produces  a  cryptographic  key  according  to  bit  information  stability  provided  by  feature 
signals  in  each  dimension  according  to  different  distinguishabilities.  Figure  76  illustrates  the  procedure  for 
generating  reliable  cryptographic  keys  from  the  feature  signal:  (a)  represents  the  feature  signal  distribution  of  the 
authenticated  user  and  the  global  feature  signal  distribution  all  users  in  a  given  dimension;  (b)  represents  the  position 
of  the  left  and  right  boundaries  JB  and  RJVt,  expressed  as 

LB  =  min((mg  -  kgOg),  (m^  -  kaCTa)) ,  and 
RB  =  max  ((m^  -  kgag),  (rria  -  fca^’a)) 

where  m_a  and  6_a  are  the  mean  and  standard  deviation  of  the  genuine  feature  signal  distribution  and  m_g  and  6_g  are 
the  mean  and  standard  deviation  of  the  global  feature  distribution;  (c)  represents  the  segments  with  the  same  size  as 
the  authentic  region  covering  the  range  between  the  left  and  right  boundaries  LB  and  RM;  and  (d)  represents 
corresponding  index  to  each  above  segment,  where  the  index  of  each  segment  is  selected  according  to  the  position  of 
each  segment  in  the  feature  space. 


Figure  76:  Schematic  drawing  of  the  processing  procedure  of  the  stable  key  generation  unit 

B.5  Draper  et  al.  (2010) 


Assignee:  Mitsubishi  Electric  Research  Laboratories,  Inc. 

Draper  et  al.  patented  a  method  for  secure  biometric  data  by  encoding  syndrome  vectors.  They  laid  claim  to  methods 
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in  which  a  syndrome  decoder:  (1)  uses  belief  propagation;  (2)  is  based  on  a  measurement  model  accounting  for 
noise;  and  (3)  determines  parameters  of  source  and  channel  models  from  training  data.  The  patent  mostly  describes 
the  preferred  embodiments  of  the  proposed  method,  which  include:  a  syndrome  encoder  and  hashing  method  for 
securely  storing  biometric  parameters;  a  syndrome  code  based  encryption  method  for  securely  storing  data 
encrypted  with  biometric  keys;  and  a  method  of  optimizing  syndrome  codes  used  for  secure  biometric  applications. 
The  first  is  embodiment  reviewed  in  this  report. 

Syndrome  and  Hashing  Method  for  Secure  Biometric  Parameters'^ 

During  enrollment,  the  user  presents  a  biometric  image  from  which  a  feature  vector  is  extracted  using  an  existing 
feature  extraction  algorithm.  Biometric  parameters  of  the  feature  vector  are  encoded  using  a  syndrome  encoder; 
while  a  message  authentication  code  or  hash  function  is  concomitantly  applied  to  the  biometric  parameters  to 
produce  an  enrollment  hash.  The  syndrome  vector  and  hash  are  stored  as  a  pair  ^  S;  H "  in  a  dataset.  The  proposed 
syndrome  encoder  can  operate  on  integer  values  in  addition  to  binary  values.  During  authentication,  the  parameters 
of  a  biometric  query  are  combined  with  one  or  more  stored  syndrome  vectors  using  a  syndrome  decoder  to  recreate 
the  parameters  of  the  original  biometric.  Access  is  granted  if  the  parameters  of  the  query  biometric  match  those  of 
the  decoded  biometric.  Figure  77  illustrates  the  systemic  design  of  the  patented  syndrome  and  hashing  method  for 
biometric  template  protection. 


310 


B.6  Akkermans  et  al.  (2007) 

Assignee:  Philips 

Akkermans  et  al.  filed  a  patent  application  for  the  invention  of  a  method  and  system  of  protecting  templates  in 
biometric  identification  systems.  The  explicit  goal  of  the  invention  was  to  preserve  verification  performance  while 
obfuscating  the  identities  of  template  owners.  During  enrollment,  the  user  presents  multiple  impressions  of  the  same 


See  p.  27. 
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biometric  image.  Features  are  extracted  from  each  input  image  and  the  elements  in  the  each  vector  are  quantized. 
The  quantized  templates  are  compared,  and  the  components  which  appear  less  frequently  are  considered  unreliable 
and  discarded,  resulting  in  a  set  of  reliable  feature  components  likely  to  be  reproduced  by  the  genuine  user  in 
subsequent  transactions.  A  subset  W1  of  the  reliable  components  is  stored  in  a  central  dataset  to  be  used  as  helper 
data  during  authentication.  The  security  of  the  system  is  a  function  of  the  value  of  the  quantization  resolution, 
whereby  a  lower  resolution  increases  the  tolerance  of  the  system  while  increasing  the  likelihood  that  an  imposter 
will  be  incorrectly  authenticated.  In  Section  [0021]  the  inventors  extended  the  preferred  embodiment  to  create 
cryptographically  secure  codeword  of  the  biometric  data.  A  randomly  generated  secret  S  is  encoded  into  a  codeword 
C  and  combined  with  the  reliable  feature  component  vector  X’  by  way  of,  for  example,  an  XOR  operation, 
producing  a  second  helper  data  set  W2.  The  original  secret  S  is  concealed  by  a  hash  function  F,  and  both  the  hashed 
secret  F(S)  and  the  helper  data  set  W2  are  stored  on  the  central  dataset. 

B.7  Bolle  et  al.  (2009a) 

Assignee:  IBM  Corporation 

This  patent  application  laid  claim  to  a  method  whereby  an  identity  is  verified  or  identified  upon  the  successful 
comparison  of  two  or  more  encrypted,  cancelable  biometric  templates,  such  that  the  identities  of  the  authenticating 
user  and  those  in  the  dataset  are  never  disclosed  during  the  whole  process  of  authentication.  The  process  by  which 
templates  are  matched  is  as  follows:  (1)  a  transformed  biometric  is  presented;  (2)  a  second  biometric  is  transformed 
in  a  manner  parallel  to  that  of  the  first  biometric;  (3)  the  two  transformed  biometrics  are  compared;  and  (4)  matches 
are  reported.  Also  claimed  in  the  patent  are  an  electronic  device  and  a  computer  program  that  execute  the  proposed 
method. 
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Annex  C  Iris  Recognition  Techniques  and  Standards 


C.l  Algorithms  and  Templates 

Iris  recognition  refers  to  the  process  of  identifying  or  authenticating  individuals  based  on  random  patterns  of  their 
irises.  Despite  its  wide  employment,  automated  iris  recognition  is  relatively  young.  Generally,  an  iris  recognition 
system  is  comprised  or  four  steps  namely,  image  capturing,  iris  segmentation,  feature  extraction  and  matching. 

The  goal  of  image  capturing  is  to  acquire  high  quality  data  that  is  employable  for  recognition  purposes.  The  purpose 
of  the  second  step,  iris  segmentation,  is  to  isolate  the  iris  from  the  rest  of  the  eye  image  and  the  pupil.  Segmentation 
is  very  important  and  directly  affects  the  efficiency  of  feature  extraction.  There  are  a  number  of  challenges  in 
localizing  the  iris  such  as  eyelid  and  eyelash  occlusion,  light  reflections  or  shadows  created  during  image  capturing. 

Feature  extraction  operates  on  segmented  iris  images,  for  the  design  of  discriminative  features  i.e.,  features  which 
are  unique  to  an  individual  and  allow  the  system  to  distinguish  him/  her  in  a  population.  Typically,  such  features  are 
either  texture  based  or  zero  crossing  representations  of  concentric  circles  around  the  iris.  The  most  widely  explored 
approach  to  feature  extraction  is  by  Daugman  [7-11].  However  there  exist  a  number  of  alternative  methods  that  have 
demonstrated  promising  results  as  well.  This  section  provides  an  overview  of  these  methodologies,  along  with 
Daugman’ s  approach  and  concludes  with  the  related  to  iris  recognition  standards  currently  in  place. 

Ma  et  al.  [Ih  proposed  a  four  step  recognition  algorithm  that  performs  the  following  operations:  Image  quality 
assessment  and  selection,  preprocessing,  feature  extraction  and  matching. 

A  typical  iris  camera  provides  more  than  one  snapshots  of  the  iris  and  the  objective  is  to  automatically  detect 
whether  the  biometric  information  is  occluded,  blurred  or  out-of-focus.  A  quality  descriptor  based  on  the  frequency 
distribution  of  the  captured  image  is  defined  as  follows: 
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Where  is  the  Fourier  spectrum  of  an  iris  region  and"^^  ,  are  the  radial  frequency  pair  and  bound  the 

range  of  the  corresponding  frequency  components  (low,  middle  and  high).  Every  quality  factor  D  has  two  measures. 
The  first  measure  can  be  used  to  detect  occlusion,  as  it  relates  to  the  overall  power  of  the  image.  The  second 
measure  takes  smaller  values  for  defocused  or  blurred  images. 

Preprocessing  is  an  essential  step  for  biometric  recognition  systems.  Without  any  treatment,  feature  extraction  from 
raw  images  would  be  meaningless.  In  [1],  preprocessing  includes:  iris  localization,  normalization  and  enhancement. 
The  iris  is  localized  with  the  Canny  edge  detector  which  is  applied  on  the  image  after  projection  on  the  horizontal 
and  vertical  directions.  The  iris  is  unwrapped  to  a  rectangular  block  of  fixed  size  with  the  following  transformation: 
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Where  is  the  image,  and  are  the  coordinates  of  the  inner  and  outer  boundary 

points  in  the  direction  ^  in  the  original  image  .  Finally,  an  estimate  of  the  background  illumination  is  used  to 
adjust  the  contrast  of  the  image  so  that  the  texture  if  uniformly  enhanced  along  the  rectangular. 

Feature  extraction  in  [1]  operates  in  the  frequency  domain,  with  the  use  of  circularly  symmetric  sinusoidal  functions. 
These  functions  are  similar  to  Gabor  filters  with  the  difference  being  that  the  latter  use  oriented  sinusoidal  functions. 
The  kernels  of  the  filters  applied  in  [1]  target  to  capture  the  local  properties  of  the  texture  and  are  estimated  as 
follows: 
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Where  J  )  denotes  the  modulating  sinusoidal  function,  f  is  the  frequency  of  the  sinusoidal  function 

s  s 

and  ^ ^  are  the  space  constants  of  the  Gaussian  envelope  along  the  x  and  y  axis  respectively  and  0  denotes  the 
orientation  of  the  Gabor  filter. 


It  was  observed  that  the  upper  portion  of  the  normalized  iris  image  (closer  to  the  pupil)  provides  the  most  distinctive 
texture  information.  Furthermore,  there  are  lower  chances  of  eyelashes  to  occlude  these  regions.  For  this  reason, 
only  this  region  of  interest  (ROI)  was  used  for  feature  extraction.  Given  the  above  specified  filters,  the  output  of 
feature  extraction  is: 


Fi{x,y)  =  ^^IiXi,yi)G{x-Xi,y-yi)dXidyi  i  =  \^2 

Where  ^  is  the  ith  channel  of  the  spatial  filters,  denotes  the  ROI  and  is  the  filtered  image.  In 

addition,  statistical  features  are  extracted  for  each  8x8  block.  For  every  filtered  block  the  mean  and  the  absolute 
deviation  serves  as  the  feature  vector: 


(11) 


n  w  (12) 

Where  w  is  an  8x8  block  in  the  filtered  image  and  n  is  the  number  of  pixels  in  that  block.  Such  features  acquired 
from  all  the  respective  blocks  in  the  ROI  are  concatenated  into  an  ID  feature  vector.  Therefore,  the  output  of  feature 
extraction  is  a  feature  vector  of  length  1536. 


The  dimensionality  of  the  feature  vector  is  reduced  prior  to  classification.  This  reduction  was  based  on  the  Fisher 
Linear  Discriminant  Analysis  (LDA),  which  is  a  supervised  machine  learning  technique.  LDA  transforms  a  vector  in 
a  way  that  the  within- subject  variability  is  reduced  and  at  the  same  time  the  between- subject  is  augmented.  Given  an 


LDA  transformation  matrix  ^ ,  the  new  feature  vector  is  estimated  through  projection: 

f  =  W^V 


(13) 


Where  ^  is  the  1536  dimensional  input,  and  ^  is  the  new  feature  vector  of  reduced  dimensionality.  Classification 
is  performed  based  on  the  nearest  centre  method,  with  the  Euclidean  norm  utilized  as  the  similarity  measure. 
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The  system  in  [1]  was  tested  on  the  CASIA  Iris  dataset,  which  includes  2255  iris  images  from  213  subjects.  The 
performance  was  reported  for  various  dimensionalities  of  the  feature  vector,  with  accuracy  reaching  99.43%  for  a 
dimensionality  of  220. 

Boles  et  aL  [21  proposed  a  feature  extraction  scheme  based  on  the  wavelet  transform  of  the  iris  signature  i.e.,  the 
gray  scale  density  along  concentric  contours.  The  essence  of  the  feature  extractor  lies  on  the  local  structure  of  the 
iris  patterns  along  circles.  More  specific,  the  proposed  framework  is  comprised  of  three  steps,  namely  preprocessing, 
feature  extraction  and  classification. 


During  preprocessing  is  the  image  is  subjected  to  edge  detection  for  the  localization  of  the  iris.  By  taking  into 
consideration  the  fact  that  iris  has  a  circular  shape,  edge  detection  is  tuned  in  seeking  a  closed  contour. 

The  region  formed  by  the  circular  contour  propagates  to  feature  extraction.  Since  the  local  structure  is  examined  at  a 
circular  level,  a  reference  point  is  determined  based  on  the  centroid  of  the  previously  detected  iris.  Using  this  point, 
a  number  of  virtual  contours  are  considered  to  be  structurally  circular  and  concentric  around  the  pupil.  Every 
contour  is  revisited  and  treated  independently  by  feature  extraction  as  an  ID  signal.  The  amplitude  along  the  contour 
(gray  scale  intensity)  is  normalized  and  the  length  is  normalized  to  acquire  comparable  views  for  any  image.  The  ID 
signal  is  further  processed  using  the  dyadic  wavelet  transform,  in  order  to  retain  only  few  low  resolution  levels  not 
affected  by  high  frequency  noise.  The  zero  crossings  along  these  levels  are  detected  and  used  for  the  design  of  the 
biometric  template. 

The  template  is  a  combination  of  both  the  location  of  the  zero  crossings  and  the  amplitude  of  the  signal  between  two 

Z  f 

adjacent  zero  crossings.  For  instance,  at  a  particular  wavelet  level  ^  the  template,  denoted  as  ,  is  a  set  of 
ordered  complex  numbers  for  which  the  real  part  describes  the  magnitude  between  two  adjacent  zero-crossings,  and 
the  imaginary  part  the  locations  of  the  zero-crossings. 

For  matching,  two  dissimilarity  measures  are  defined  to  associate  an  unknown  input  signature  ^  and  candidate 
identity  ^  at  a  particular  resolution  level  J  : 
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Where  T  is  a  scale  factor,  while  and  are  the  real  and  imaginary  parts  of  the  representation 

respectively.  The  overall  dissimilarity  of  ^  and  ^  is  the  average  dissimilarity  of  the  two  over  all  decomposition 
levels. 


The  performance  of  this  algorithm  was  reported  for  iris  images  of  two  subjects  but  under  lighting  and  noise 
variations  as  well  as  for  different  camera-to-face  distances.  The  proposed  dissimilarity  measures  managed  to 
distinguish  the  two  irises  even  under  extreme  lighting  and  distance  variations.  However,  the  system  was  shown  to  be 
prone  to  noise. 

Wildes  et  aL  [31  were  among  the  earliest  to  explore  automatic  iris  recognition.  Apart  from  the  template  design 
algorithm,  this  work  also  presented  a  schematic  diagram  for  the  acquisition  of  the  iris  image,  by  taking  into  account 
the  effects  of  illumination  as  well  as  the  positioning  of  the  eye  into  the  camera’s  field  of  view.  Preprocessing  of  the 
acquired  image  included  simple  low-pass  filtering  with  a  Gaussian  filter,  and  spatial  down-sampling  that  reduces  the 
resolution  in  order  to  better  assist  iris  detection.  The  iris  is  then  localized  using  gradient-based  edge  detection  and 
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simple  voting  of  the  detected  edge  pixels.  The  essence  of  feature  extraction  in  [3],  was  to  capture  the  range  of  spatial 
structures  using  a  two-dimensional  band-pass  decomposition.  The  decomposition  was  based  on  a  Laplacian 
pyramid.  A  four  level  decomposition  was  performed,  where  every  level  encompassed  two  steps: 

•  Low  pass  filtering  of  the  iris  and  down-sampling  by  a  factor  of  two  on  the  horizontal  and  vertical  directions. 

•  Starting  from  the  smallest  image,  it  is  expanded  by  a  factor  of  two  (up-sampling  with  linear  interpolation)  and 
subtracted  from  the  one  which  is  one  level  below. 


With  this  expansion,  four  band-pass  iris  images  were  acquired  and  used  as  the  biometric  template.  Matching  was 
performed  using  a  shift,  scale  and  rotate  methodology  which  given  a  pixel  at  the  template  image  seeks  to  establish  a 
match  with  any  pixel  of  the  input  image. 

The  performance  of  this  algorithm  was  tested  on  500  iris  images  from  50  volunteers.  Impostor  tests  were  performed 
using  40  of  those  subjects.  The  identification  performance  was  100%. 

Avila  et  aL  [41  presented  a  zero-crossing  based  iris  representation  in  2002.  The  first  step  of  the  algorithm  was  to 
convert  the  color  image  to  gray  scale  and  to  normalize  the  respective  histogram.  Iris  localization  was  then  performed 
by  locating  the  centre  of  the  iris  as  well  as  by  taking  advantage  of  the  circular  structure.  Furthermore,  the  diameter 
of  the  iris  was  normalized,  to  acquire  comparable  irises  along  all  images.  However,  no  other  information  was 
reported  on  this  process. 

Feature  extraction  was  based  on  the  gray  color  intensity  along  virtual  co-centered  contours,  using  the  centre  of  the 
pupil  as  a  reference.  This  is  essentially  a  256bits  ID  signal,  referred  to  as  the  iris  signature.  Once  the  signature  was 
acquired,  the  dyadic  wavelet  transform  was  used  for  further  processing  and  template  design. 

The  signal  at  every  level  was  searched  for  sign  changes.  Linear  interpolation  was  used  between  consecutive  samples 
of  opposite  signs,  in  order  to  establish  the  location  of  zero-crossings.  Only  the  finest  levels  of  the  decomposition 
were  excluded  from  this  process,  due  to  their  vulnerability  to  high  frequency  noise  (only  the  four  lowest  levels  were 
used  for  matching). 

Matching  was  performed  using  three  different  measures  i.e.,  the  Euclidean  distance,  the  Hamming  distance  and 
dissimilarity  functions.  The  Hamming  distance  was  observed  to  achieve  the  highest  classification  rate  (97.9%)  for 
200  images  of  20  subjects. 

An  approach  based  on  Gabor  filtering  and  the  wavelet  transform  was  reported  by  Zhu  et  aL  [51.  Similar  to  other 
methodologies,  preprocessing  was  a  three  step  operation  as  follows: 

•  Iris  localization,  where  the  geometrical  and  color  information  of  the  pupil  is  used  to  isolate  it. 

•  Iris  normalization  that  accounts  for  the  possible  deformations,  by  mapping  the  iris  to  a  rectangular  block  of 
fixed  size. 

•  Image  enhancement  with  local  histogram  normalization.  This  operation  treats  the  effects  of  non  uniform 
illumination. 

•  Feature  extraction  encompassed  two  sets  of  features,  both  related  with  the  texture  of  the  iris.  First,  a  multi¬ 
channel  Gabor  filter  was  designed  for  every  cortical  channel: 


(x,  y)  =  g(x,  y)  cos[2;z'  /  (x  cos  d  +  ysin  0)] 
K  y)  =  six,  y)  sin[2;r/(x  cos  6»  +  j  sin  6»)] 


Where  s(x,y)  is  a  2D  Gaussian  function  while  and  ^  are  the  central  frequency  and  the  orientation  that 
define  the  location  of  the  channel  in  the  frequency  plane.  For  every  central  frequency  (power  of  2),  filtering  is 
performed  for  various  angles  ^  ,  this  way  resulting  into  a  number  of  images.  The  feature  vector  is  then  the 
concatenation  of  the  means  and  standard  deviations  for  all  images.  Similarly,  the  mean  and  standard  deviation 
of  five  low  resolution  levels  acquired  using  the  2D  wavelet  transform  are  used  for  matching. 
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The  Euclidean  distance  is  used  to  associate  an  input  and  a  pre-enrolled  iris,  at  the  matching  stage.  This  system 
was  tested  on  160  iris  images  from  16  different  subjects.  The  overall  recognition  rate  was  93.8%. 

In  2001  Lim  et  aL  [61  proposed  an  improvement  on  prior  feature  extraction  methodologies  with  the  use  of  the  2D 
Haar  wavelet  for  the  exploration  of  texture  characteristics  of  the  iris.  A  preprocessing  stage  performed  operations 
such  as  iris  localization  and  normalization.  Localization  was  based  on  edge  detection  and  normalization  was 
suggested  by  fixation  of  the  distance  between  the  detected  inner  and  outer  boundaries  of  the  iris. 

The  preprocessed  image  is  decomposed  four  times  with  the  Haar  transform,  and  features  are  selected  from  the  high 
pass  sub-bands  (HH4,  HH3,  HH2  and  HHl).  More  specific,  the  HH4  sub-band  was  retained  for  classification  while 
only  the  average  was  used  for  sub-bands  HH3,  HH2  and  HHl.  To  control  space  and  computational  effort,  the  feature 
vector  was  quantized  into  binary  values  via  a  simple  sign  rule  i.e.,  positive  values  were  represented  by  1  while 
negative  by  0. 

For  classification,  a  competitive  neural  network  was  proposed  (LVQ).  The  reason  for  this  choice  was  that,  compared 
to  other  leaning  networks,  LVQ  is  faster  in  training.  However,  the  performance  of  the  LVQ  is  prune  to  initial  weight 
vectors.  To  address  this  problem,  the  authors  of  [6]  proposed  a  novel  initialization  process  by  which  initial  vectors 
are  located  at  the  boundaries  of  each  class. 

The  performance  of  the  proposed  system  was  tested  on  6000  iris  images  from  200  volunteers.  The  overall 
recognition  rate  achieved  was  99.3%. 

The  most  widely  deployed  algorithm  for  iris  recognition  was  proposed  by  Daugman  [7-111  based  texture 
characteristics  of  the  iris,  explored  through  a  2D  wavelet  decomposition  procedure. 

The  preprocessing  step  of  Daugman’ s  algorithm  includes  image  focus  assessment  and  iris  localization.  In  order  to 
determine  if  the  image  is  usable  for  feature  extraction,  the  spectral  power  in  the  middle  and  upper  frequency  bands 
of  the  2D  Fourier  transform  is  examined.  This  assessment  is  rather  performed  during  the  acquisition  stage,  where  the 
goal  is  to  acquire  an  image  for  which  these  quantities  are  maximized. 

Daugman  also  proposed  a  very  effective  operator  that  can  be  used  to  determine  the  boundaries  of  the  iris  and  pupil. 
As  opposed  to  other  works,  this  operator  does  not  assume  that  circular  contours  which  surround  these  regions  are 
concentric,  and  because  of  this  the  parameters  of  the  two  circles  were  defined  separately.  For  an  image  ^  ’  T )  ^  the 

operator  is  defined  as  follows: 
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Where  '  is  a  smoothing  function  such  as  a  Gaussian  of  scale  ^ .  Essentially,  this  operator  behaves  as  a 

circular  edge  detector  that  localized  both  the  iris  and  the  pupil. 

For  feature  extraction  Daugman  [7]  proposed  a  2D  wavelet  demodulation  algorithm.  More  specific,  the  proposed 
wavelets  were  Gabor  filters: 
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Where  ^  the  frequency  of  the  sinusoidal  is  function,  ^  and  ^  are  the  space  constants  of  the  Gaussian  envelopes 
and  ^  is  the  orientation  of  the  Gabor  filter. 

The  encoding  is  essentially  a  phase  quantization  procedure  which  identifies  in  which  quadrant  of  the  complex  plane 
each  phasor  lies.  Encoding  can  be  described  through: 
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Where  is  a  complex  valued  bit  is  whose  real  and  imaginary  parts  are  either  1  or  0  depending  on  the  sign  of 


the  integral.  ^  and  ^  are  the  multiscale  wavelet  size  parameters,  and  represent  the  polar  coordinates  of 

h 

each  region  of  the  iris  for  which  the  phasor  coordinates  are  computed.  In  total,  2048  phase  bits  (iris  code) 

are  computed  for  each  iris. 

A  test  of  statistical  independence  was  also  proposed  by  the  same  author  that  estimates  the  similarity  (or  difference) 
between  two  2048  bit  streams.  This  test  is  based  on  simple  XOR  operations  that  return  1  if  the  two  bits  under 
consideration  are  different. 

In  addition  to  the  iris  code,  each  iris  is  accompanied  by  a  mask  of  the  same  length  that  signifies  parts  which  parts  of 
the  code  represent  occlusion  information.  The  goal  is  to  test  independence  without  taking  into  account  occluded 
portions  of  the  iris. 

For  two  iris  codes  codeA  codeB  ^  for  the  respective  masks  maskB  following  measure 

of  dissimilarity  was  proposed  by  Daugman  [7]: 


HD  = 


Y^codeA  ®  codeB)  n  maskA  n  maskB 
^naskA  n  maskB^ 


(21) 


Which  is  the  Hamming  distance,  a  well  known  measure  of  dissimilarity  between  two  binary  streams.  The  HD 
between  two  iris  codes  from  different  subjects  should  be  normally  distributed  with  a  mean  of  0.5.  HDs  from 
comparison  of  4258  different  iris  images  were  computed  (over  9.1  million  comparisons)  from  individuals  in  the 
U.K.,  U.S.A.,  Japan  and  Korea.  The  observed  mean  HD  was  0.499  with  a  standard  deviation  of  0.0317.  Figure  78 
provides  a  comparison  of  the  above  mentioned  approaches  with  respect  to  preprocessing,  feature  extraction, 
classification  algorithms  and  performance. 
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Figure  78:  Comparison  of  iris  recognition  algorithms 
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Iris  Recognition  Standards 


ISO/IEC  19794-6:  2005  Biometric  data  interchange  format  -  Part  6:  Iris  image  data  specifies  two  alternative 
image  interchange  formats  for  biometric  authentication  systems  that  utilize  iris  recognition.  The  first  is  based  on  a 
rectilinear  image  storage  format  that  may  be  a  raw,  uncompressed  array  of  intensity  values  or  a  compressed  format 
such  as  that  specified  by  ISO/IEC  15444.  The  second  format  is  based  on  a  polar  image  specification  that  requires 
certain  pre-processing  and  image  segmentation  steps,  but  produces  a  much  more  compact  data  structure  that 
contains  only  iris  information. 

ISO/IEC  TR  19795-3:  2007  Biometric  performance  testing  and  reporting  —  Part  3:  Modality-specific  testing 

describes  the  methodologies  relating  to  these  modality-dependent  variations.  It  presents  and  defines  methods  for 
determining,  given  a  specific  biometric  modality,  how  to  develop  a  technical  performance  test.  In  biometric 
performance  testing  and  reporting,  careful  consideration  needs  to  be  given  to  the  characteristic  differences  of  each 
modality  (fingerprint,  face,  iris,  etc.).  These  differences  naturally  require  variations  within  the  general  methodology 
defined  in  ISO/IEC  1 9795- 1.  ISO/IEC  TR  19795-3:2007 

NISTIR  6529-A  Common  biometric  exchange  formats  framework  (CBEFF)  relates  to  all  biometric  modalities. 
It  describes  a  structure  and  set  of  metadata  elements  necessary  to  support  exchange  of  biometric  information  in  a 
common  way. 

ANSI  INCITS  358-2002  [2007]  (Initially  developed  by  the  BioAPI  Consortium,  Reaffirmed  2007)  -  American 
National  Standard  for  Information  technology  for  Information  Technology  -  The  BioAPI  Specification 
specifies  the  Application  Programming  Interface  and  Service  Provider  Interface  for  a  standard  biometric  technology 
interface.  It  is  beyond  the  scope  of  this  specification  to  define  security  requirements  for  biometric  applications  and 
service  providers,  although  some  related  information  is  included  by  way  of  explanation  of  how  the  API  is  intended 
to  support  good  security  practices.  The  BioAPI  is  intended  to  provide  a  high-level  generic  biometric  authentication 
model;  one  suited  for  any  form  of  biometric  technology.  The  standard  covers  the  basic  functions  of  Enrollment, 
Verification,  and  Identification,  and  includes  a  dataset  interface  to  allow  a  biometric  service  provider  (BSP)  to 
manage  the  Identification  population  for  optimum  performance.  It  also  provides  primitives  that  allow  the  application 
to  manage  the  capture  of  samples  on  a  client,  and  the  Enrollment,  Verification,  and  Identification  on  a  server. 

ANSI  INCITS  398-2008  (Revision  of  ANSI  INCITS  398-2005)  American  National  Standard  for  Information 
Technology  -  Common  Biometric  Exchange  Formats  Framework  (CBEFF)  specifies  a  common  set  of  data 
elements  necessary  to  support  multiple  biometric  technologies  and  to  promote  interoperability  of  biometric-based 
application  programs  and  systems  by  allowing  for  biometric  data  exchange.  This  standard  (revision  of  ANSI 
INCITS  398-2005)  specifies  a  common  set  of  data  elements  necessary  to  support  multiple  biometric  technologies 
and  to  promote  interoperability  of  biometric-based  application  programs  and  systems  by  allowing  for  biometric  data 
exchange.  These  common  data  elements  can  be  placed  in  a  single  file,  record,  or  data  object  used  to  exchange 
biometric  information  between  different  system  components  and  applications. 

This  standard  specifies  the  biometric  data  elements.  These  elements  are  assembled  into  data  structures  defined  by 
CBEFF  patron  format  specifications  or  standards.  Each  patron  format  specification  that  conforms  to  CBEFF  defines 
which  CBEFF  data  elements  are  present  in  its  format  and  how  the  data  elements  are  extracted  and  processed  (details 
such  as  the  data  encoding  scheme  are  the  responsibility  of  the  CBEFF  patrons).  The  biometric  data  transported  in  a 
CBEFF  structure  can  represent  processed  or  unprocessed  (raw)  data.  This  standard  itself  specifies  two  Patron 
Formats  (Patron  Format  A  and  B,  see  Annexes  A  and  B).  Annexes  C  through  F  document  patron  formats  that  have 
been  specified  external  to  this  standard,  as  follows:  C.  The  BioAPI  BIR,  D.  The  NIST  PIV  CBEFF  Patron  Format 
specified  in  NIST  SP  800-76,  Feb  I,  2006,  E.  The  ICAO  Fogical  data  Structure  (EDS),  F.  The  Type  99  record 
specified  in  the  revision  of  the  ANSI/NIST-ITF  1-2000  standard  (ANSI/NIST-ITF  1-2007,  “Data  Format  for  the 
Interchange  of  Fingerprint,  Facial,  &  Other  Biometric  Information”).  CBEFF  does  not  specify  the  content  or  format 
of  the  actual  biometric  data  contained  within  a  CBEFF  biometric  data  record.  Protection  of  the  privacy  of 
individuals  from  inappropriate  dissemination  and  use  of  biometric  data  is  not  in  the  Scope  of  this  standard. 
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Annex  D  Fingerprint  Recognition  Techniques  and  Standards 


D.l  Fingerprint  Algorithms  and  Templates 

Feature  extraction  from  fingerprint  images  may  operate  on  three  distinct  levels: 

Level  1  features  describe  the  overall  ridge  patterns  i.e.,  the  flow  and  direction  of  lines  in  the  image.  Level  2 
fingerprint  features  are  more  detailed  as  they  describe  the  various  ridge  path  deviations  such  as  ridge  endings  or 
splits  (bifurcation).  Accordingly,  level  3  fingerprint  features  describe  ridges  in  even  greater  detail,  using  information 
such  as  the  width,  shape,  pores  and  other.  All  three  levels  have  been  explored  for  biometric  recognition,  with  level  2 
being  the  most  widely  deployed.  For  the  purpose  of  this  report,  feature  extraction  algorithms  are  categorized  as 
pattern-based  or  minutiae-based.  Essentially,  the  first  falls  under  level  1  features,  and  the  latter  under  level  2.  From  a 
pattern  recognition  point  of  view,  pattern-based  approaches  process  the  fingerprint  image  holistically,  while 
minutiae  patterns  describe  mostly  local  characteristics. 

A  great  challenge  in  fingerprint  recognition  is  the  design  of  templates  that  are  robust  to  elastic  distortion.  In 
addition,  approaches  that  rely  on  minutiae  points  require  perfect  sensor  readings,  otherwise  fake  minutiae  points  will 
be  generated  by  the  algorithms. 

To  address  these  issues,  Xie  et  al.  [121  proposed  a  fingerprint  template  based  on  ridge  patterns,  which  means  that  the 
fingerprint  image  can  be  processed  holistically,  without  the  need  of  minutiae  points  detection. 


The  first  step  in  the  study  of  fingerprint  patterns  is  the  extraction  of  the  skeleton  ridge  image  out  of  the  raw  sensor 
output.  A  typical  solution  is  by  Maio  et  al.  [15L  whereby  the  progression  of  a  ridge  is  examined  until  either  a 
termination  of  intersection  with  other  ridges.  Eventually,  a  skeleton  image  is  a  binary  image  of  lines  running  along 
the  fingerprint  ridges. 


Once  the  skeleton  fingerprint  is  available,  the  next  step  is  labeling  the  ridges  and  examining  the  global  structure. 

P  P  f 

Suppose  ^  and  ^  are  the  starting  and  ending  points  of  an  arbitrary  ridge  ^  These  points  can  then  be  either  ending 

points,  ridge  bifurcations  or  broken  ridges.  Xie  et  al.  [12]  defined  the  curvature  ^  of  ^  as: 

(14) 


Therefore  ^  is  a  measure  of  the  ridge’s  winding  degree,  thus  naturally  invariant  to  the  image  rotation  or  translation. 

f*  f*  d  d 

To  associate  two  ridges  and of  lengths  'and  ^  the  following  conditions  are  examined: 
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Where  ^  thl  are  two  thresholds.  If  the  above  two  conditions  are  satisfied,  the  ridges  under 

consideration  are  pre-matched.  For  every  ridge,  an  associate  table  is  designed  by  sampling  it  at  a  number  of  points, 
and  associating  every  point  with  ridges  in  the  upper  and  lower  parts  (using  the  two  conditions).  In  Xie  et  al.’s  work 
[12],  fingerprint  templates  are  a  set  of  associate  tables  (one  for  every  ridge),  which  in  combination  provide  a 


structural  picture  of  the  fingerprint  image. 


Marana  et  aL  [131  proposed  another  ridge  based  fingerprint  template,  using  the  Hough  transform.  The  framework 
can  be  described  in  four  steps: 

•  Design  of  skeleton  image.  During  this  step,  a  gray  scale  fingerprint  image  is  converted  into  a  thinned  skeleton 
image  (one  pixel  wide).  This  is  achieved  with  the  estimation  of  the  orientation  field  and  segmentation,  as  well 
as  several  heuristics  that  remove  holes  and  speckles  in  the  binary  ridge  map. 

•  Ridge  detection.  During  this  step,  the  goal  is  to  extract  straight  lines  that  approximate  the  fingerprint  ridges.  The 
Hough  transform  [16]  is  used  to  examine  each  pixel  of  a  given  ridge  and  increment  an  accumulator  bin 
according  to  all  the  possible  straight  lines  that  pass  through  that  pixel.  The  peaks  of  the  accumulator  array  of 
pixels  belonging  to  the  same  ridge  indicate  the  parameters  of  the  most  likely  straight  lines  that  match  that  ridge 
in  the  image. 


Fingerprint  registration.  In  order  to  align  an  input  and  a  gallery  fingerprint  image,  rotation,  translation  and  scale 

S  S 

parameters  are  estimated.  If  the  peak  sets  from  the  previous  step  are  denoted  as  ^  and  ^  for  the  input  and 


I  e  5^, 


G-  G  S ^ 
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gallery  images  respectively,  for  every  pair  of  peaks  ^  '  ^  where  and  ^  a  ID  rotation  and  a 

2D  translation  parameters  are  estimated.  The  scale  factor  was  simply  set  to  1 ,  since  all  images  were  acquired 
with  the  same  sensor. 


Fingerprint  matching.  Using  every  triplet  of  rotation  and  translation  parameters  ^  ,  the  input  image 

is  aligned  with  the  template  image,  and  a  matching  score  is  calculated.  The  overall  score  of  the  pair  is  the 
maximum  for  all  triplets. 


The  match  score  is  proportional  to  the  number  of  detected  ridges  in  the  input  and  gallery  images.  The  score  is 
estimated  using: 
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Where  the  -th  element  of  matrix  ^  indicates  how  many  pixels  of  the  i-th  ridge  of  the  template  fingerprint 
coincide  with  pixels  of  the  j-th  ridge  of  the  template  fingerprint.  Also  ^  and  b  are  estimated  as: 
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Where  is  the  number  of  pixels  of  the  i-th  ridge  of  the  input  fingerprint.  Only  the  ridges  of  one 

fingerprint  image  that  intercept  at  least  one  ridge  of  the  other  image  are  considered  in  the  computation,  because 
they  carry  high  entropy  information. 


Khalil  et  aL  [141  proposed  a  fingerprint  verification  algorithm  based  on  statistical  descriptors.  The  essence  of  the 
method  is  the  statistical  analysis  of  co-occurrence  matrices  obtained  using  a  singular  point  on  the  orientation  field. 
The  algorithm  is  comprised  of  five  steps: 


Image  enhancement.  The  short  time  Fourier  transform  is  applied  on  overlapping  windows  of  the  fingerprint 
image  for  filtering.  This  analysis  outputs  the  ridge  orientation  image,  the  energy  image  and  the  ridge  frequency 
image.  Then  an  angular  filter  is  used  for  enhancement. 


Detection  of  singular  point.  To  detect  this  point,  the  image  is  divided  into  non-overlapping  blocks  of  size 
16x16.  The  gradients  on  the  horizontal  and  vertical  directions  are  computed  (using  a  Sobel  mask),  denoted  as 


and  respectively, 

within  a  window  ^  as 


The  ridge  orientation  of  every  pixel  is  then  computed  for  the  gradients 
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The  ridge  orientation  is  smoothened  with  a  Gaussian  low-pass  filter.  Next,  the  orientation  image  is  converted 
into  a  continuous  vector  field  as  follows: 
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And  a  two  dimensional  Gaussian  low-pass  filter  is  applied  on  ^  and  .The  singular  point,  is  the  point  of 
maximum  curvature,  and  it  can  be  found  using 
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Extraction  of  sub-image.  The  detected  singular  points  acts  as  the  centre  for  determining  a  sub-image  of  size 
129x129  from  the  original  fingerprint  image. 

Feature  extraction.  The  gray  level  co-occurrence  matrix  (GLCM)  is  then  used  to  extract  texture  characteristics 


from  the  sub-image.  A  co-occurrence  matrix  is  specified  by  the  relative  frequencies  ^  ^  in  which 
two  pixels,  separated  by  a  distance  ^  ,  occur  in  a  direction  specified  by  an  angle  ^  ,  one  with  gray  level  ^  and 

one  with  J  .  Several  GLCMs  are  computed  for  a  number  of  directions  ^  and  the  template  is  based  on  four 
statistical  features  for  every  matrix: 
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Minutiae  based  approaches  to  fingerprint  recognition  are  most  typical  and  most  widely  deployed  solutions.  As 
opposed  to  pattern  based  approaches  that  examine  the  signal  holistically  and  design  texture  or  morphological 
templates,  approaches  based  on  minutiae  points  explore  the  finest  characteristics  of  fingerprint  images.  Among  such 
approaches,  Jain  et  aL  [171  fingerprint  templates  became  very  popular. 

A  minutiae  point  can  take  the  form  of  ridge  ending  or  bifurcation.  The  location  of  such  points  on  the  fingerprint  is 
what  makes  this  modality  unique.  However,  in  order  to  extract  this  information  there  several  steps  that  need  to  be 
followed,  in  order  for  the  image  to  be  appropriately  pre-processed  i.e.,  orientation  field  estimation  and  ridge 
detection. 

Jain  at  aL  [171  suggested  that  the  orientation  field  can  be  estimated  in  sixsteps  as  follows: 

•  Divide  the  image  in  blocks  of  size  w. 

f  f 

•  Compute  the  gradients  and  ^  of  each  pixel  for  both  directions. 

V  V 

•  Calculate  the  local  orientation  tables  ^  and  ^  based  on  the  gradients: 
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Estimate  the  orientation  0  for  every  wxw  block. 
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Apply  a  low-pass  filter  a  block  level. 
Compute  the  local  ridge  orientation  O. 


Once  the  orientation  field  is  estimated,  a  segmentation  algorithm  is  applied  to  remove  the  background 
information  of  the  image.  A  measure  of  local  certainty  is  used  to  locate  regions  of  interest: 
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A  threshold  on  the  certainty  level  allows  the  system  to  distinguish  and  remove  background 

information  which  is  redundant. 

The  next  step  of  the  algorithm  is  the  detection  of  pixels  that  belong  to  ridges.  Detection  is  based  on  the  gray 
level  intensity  of  these  pixels  along  a  direction  normal  to  the  local  ridge  map.  To  do  that,  two  masks  are  defined 
and  convolved  with  the  image: 
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These  masks  are  able  to  adaptively  identify  the  local  maximum  gray-level  values  along  a  local  ridge  direction.  If 
both  gray  scale  intensities  are  larger  than  a  threshold,  then  the  respective  pixel  is  labeled  as  a  ridge.  Once  a  skeleton 
image  is  available,  minutiae  detection  is  the  last  step  of  the  biometric  template  design.  The  algorithm  for  the 


detection  is  heuristic.  For  a  pixel  at  a  location 
are  examined. 
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The  pixel  is  classified  as  ridge  ending  if  ^  and  ridge  bifurcation  if  ^  .  However,  because 

this  procedure  is  very  sensitive  to  surrounding  spikes  due  to  noise  or  misinterpretation  of  pixels,  a  smoothing 
operation  is  first  applied  on  the  ridge  skeleton  to  remove  rapid  spikes  and  to  connect  broken  ridges.  According  to 
[17]  the  fingerprint  template  is  comprised  of  the  following  information  for  every  detected  minutiae  point: 

•  Coordinate  x 

•  Coordinate  y 


=  1 


£^, 


>2 


•  Orientation 

•  Associated  ridge  segment 

D.2  Fingerprint  Standards 

ANSI/INCITS  381-2004  -  Finger  image  based  data  interchange  format  specifies  an  interchange  format  for  the 
exchange  of  image-based  fingerprint  and  palm  print  recognition  data.  It  defines  the  content,  format,  and  units  of 
measurement  for  such  information.  This  standard  is  intended  for  those  identification  and  verification  applications 
that  require  the  use  of  raw  or  processed  image  data  containing  detailed  pixel  information. 

ANSI/INCITS  377-2009  -  Finger  Pattern  Data  Interchange  Format  specifies  an  interchange  format  for  the 
exchange  of  pattern-based  fingerprint  recognition  data.  It  describes  the  conversion  of  a  raw  fingerprint  image  to  a 
cropped  and  down-sampled  finger  pattern  followed  by  the  cellular  representation  of  the  finger  pattern  image  to 
create  the  finger-pattern  interchange  data.  The  main  points  of  difference  between  this  revised  version  and  the 
original  standard  are  the  inclusion  of  two  new  fields  in  the  Record  Header  part  of  the  Finger  Pattern  Data  Record. 
These  new  fields  are  called  Capture  Equipment  Compliance  (see  6.2.4.2)  and  Capture  Equipment  ID  (see  6.2.4. 3). 
The  revised  standard  also  describes  a  method  to  store  (optional)  Core  and  Delta  information  in  the  Extended  Data 
field  of  the  Finger  Pattern  Data  record  (see  6. 3. 2. 2).  The  above  changes  were  done  to  improve  the  standard's 
usability  from  a  commercial  point  of  view  and  also  to  harmonize  it  with  ANSI  INCITS  378-2004,  Finger  Minutia 
Format  for  Data  Interchange. 

ISO/IEC  19794-2:2005  -  Biometric  data  interchange  formats  —  Part  2:  Finger  minutiae  data  specifies  a 
concept  and  data  formats  for  representation  of  fingerprints  using  the  fundamental  notion  of  minutiae.  It  is  generic,  in 
that  it  may  be  applied  and  used  in  a  wide  range  of  application  areas  where  automated  fingerprint  recognition  is 
involved.  ISO/IEC  19794-2:2005  contains  definitions  of  relevant  terms,  a  description  of  how  minutiae  shall  be 
determined,  data  formats  for  containing  the  data  for  both  general  use  and  for  use  with  cards,  and  conformance 
information.  Guidelines  and  values  for  matching  and  decision  parameters  are  provided  in  an  informative  annex. 
ISO/IEC  19794-2:2005  specifies  the  fundamental  data  elements  used  for  minutiae-based  representation  of  a 
fingerprint;  three  data  formats  for  interchange  and  storage  of  this  data:  a  record-based  format,  and  normal  and 
compact  formats  for  use  on  a  smart  card  in  a  match-on-card  application;  optional  extended  data  formats  for 
including  additional  data  such  as  ridge  counts  and  core  and  delta  location.  ISO/IEC  19794-2:2005  provides  for 
interchange  of  finger  minutiae  data  between  sensing,  storage  and  matching  systems. 

ISO/IEC  19794-3:2006  -  Biometric  data  interchange  formats  —  Part  3:  Finger  pattern  spectral  data,  the  finger 
pattern  spectral  data  interchange  format,  specifies  requirements  for  the  representation  of  local  or  global  spectral  data 
derived  from  a  fingerprint  image.  The  format  is  designed  to  provide  flexibility  in  the  choice  of  spectral 
representation  in  that  spectral  components  may  be  based  on  quantized  co-sinusoidal  triplets.  Discrete  Fourier 
Transformations  or  Gabor  filters.  The  format  also  allows  for  a  variable  number  of  spectral  components  to  be 
retained,  which  enables  data  representations  in  a  form  that  is  more  compact  than  storage  of  the  entire  fingerprint 
image.  ISO/IEC  19794-3:2006  provides  example  data  records  for  each  of  the  spectral  representations. 

ISO/IEC  19794-4:2005  -  Biometric  data  interchange  formats  —  Part  4:  Finger  image  data  specifies  a  data 
record  interchange  format  for  storing,  recording,  and  transmitting  the  information  from  one  or  more  finger  or  palm 
image  areas  within  an  ISO/IEC  1 9785- 1  CBEFF  data  structure.  This  can  be  used  for  the  exchange  and  comparison 
of  finger  image  data.  It  defines  the  content,  format,  and  units  of  measurement  for  the  exchange  of  finger  image  data 
that  may  be  used  in  the  verification  or  identification  process  of  a  subject.  The  information  consists  of  a  variety  of 
mandatory  and  optional  items,  including  scanning  parameters,  compressed  or  uncompressed  images  and  vendor- 
specific  information.  This  information  is  intended  for  interchange  among  organizations  that  rely  on  automated 
devices  and  systems  for  identification  or  verification  purposes  based  on  the  information  from  finger  image  areas. 
Information  compiled  and  formatted  in  accordance  with  ISO/IEC  19794-4:2005  can  be  recorded  on  machine- 
readable  media  or  may  be  transmitted  by  data  communication  facilities. 

ISO/IEC  19794-8:2006  -  Biometric  data  interchange  formats  --  Part  8:  Finger  pattern  skeletal  data 

specifies  the  interchange  format  for  the  exchange  of  pattern-based  skeletal  fingerprint  recognition  data.  The  data 
format  is  generic,  in  that  it  may  be  applied  and  used  in  a  wide  range  of  application  areas  where  automated 
fingerprint  recognition  is  involved.  The  exchange  format  defined  in  ISO/IEC  19794-8:2006  describes  all 


characteristics  of  a  fingerprint  in  a  small  data  record.  Thus  it  allows  for  the  extraction  of  both  spectral  information 
(orientation,  frequency,  phase,  etc.)  and  features  (minutiae,  core,  ridge  count,  etc.).  Transformations  like  translation 
and  rotation  can  also  be  accommodated  by  the  format  defined  herein.  ISO/IEC  19794-8:2006  supports  the 
proliferation  of  low-cost  commercial  fingerprint  sensors  with  limited  coverage,  dynamic  range,  or  resolution.  Thus  it 
defines  a  data  record  that  can  be  used  to  store  biometric  information  on  a  variety  a  storage  media  (including,  but  not 
limited  to,  portable  devices  and  smart  cards). 

ISO/IEC  29109-2:2010  Conformance  testing  methodology  for  biometric  data  interchange  formats  defined  in 
ISO/IEC  19794  “  Part  2:  Finger  minutiae  data  specifies  elements  of  conformance  testing  methodology,  test 
assertions,  and  test  procedures  as  applicable  to  the  biometric  data  interchange  format  standard  relating  to  finger 
minutiae  data  (i.e.  ISO/IEC  19794-2).  It  establishes  tests  of  assertions  of  the  structure  of  the  finger  minutiae  data 
format  as  specified  in  ISO/IEC  19794-2:2005  (Type  A  Level  1  as  defined  in  ISO/IEC  29109-1:2009),  tests  of 
assertions  of  internal  consistency  by  checking  the  types  of  values  that  may  be  contained  within  each  field  (Type  A 
Level  2  as  defined  in  ISO/IEC  29109-1:2009),  and  tests  of  semantic  assertions  (Type  A  Level  3  as  defined  in 
ISO/IEC  29109-1:2009).  ISO/IEC  29109-2:2010  does  not  establish  tests  of  conformance  of  CBEFF  structures 
embedding  ISO/IEC  19794-2:2005  biometric  data  blocks  (BDBs),  tests  of  other  characteristics  of  biometric  products 
or  other  types  of  testing  of  biometric  products  (e.g.  acceptance,  performance,  robustness,  security),  tests  of 
conformance  of  systems  that  do  not  produce  ISO/IEC  19794-2:2005  records,  or  tests  for  level  3  conformance 
testing. 

ISO/IEC  29109-4:2010  -  Conformance  testing  methodology  for  biometric  data  interchange  formats  defined  in 
ISO/IEC  19794  —  Part  4:  Finger  image  data  specifies  elements  of  conformance  testing  methodology,  test 
assertions,  and  test  procedures  as  applicable  to  ISO/IEC  19794-4.  ISO/IEC  29109-4:2010  establishes  test  assertions 
of  the  structure  of  the  finger  image  data  format  as  specified  in  ISO/IEC  19794-4:2005  (Type  A  Level  1  as  defined  in 
ISO/IEC  29109-1:2009),  test  asssertions  of  internal  consistency  by  checking  the  types  of  values  that  may  be 
contained  within  each  field  (Type  A  Level  2  as  defined  in  ISO/IEC  29109-1:2009),  tests  of  semantic  assertions 
(Type  A  Level  3  as  defined  in  ISO/IEC  29109-1:2009).  ISO/IEC  29109-4:2010  does  not  establish  tests  of 
conformance  of  CBEFF  structures  required  by  ISO/IEC  19794-4:2005,  tests  of  other  characteristics  of  biometric 
products  or  other  types  of  testing  of  biometric  products  (e.g.  acceptance,  performance,  robustness,  security). 
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Annex  F  Summary  of  Literature  on  PET  Evaluation  Results 
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multiple  results.  In  such  cases,  optimal  results  are  listed.  The  other  metrics  are  listed  at  the  value  that  was  needed  to 
achieve  that  level  of  FRR.  In  many  cases,  FRR  and  FAR  were  derived  from  a  reported  equal  error  rate  (EER). 
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Figure  79:  Summary  of  PET  Test  Results 
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